Adversarial Contrastive Decoding: Aligning Large Language Models via Exploiting Their Safety and Harm

• The experiment should incorporate evaluations using jailbreak attack methods to demonstrate the performance improvements of the proposed approach.
• The dependence on a manually generated anchor dataset for Opposite Prompt Optimization may introduce biases due to the quality of the generated samples. If the anchor data does not sufficiently cover a broad range of harmful content, the effectiveness of ACD could be constrained.
• Further clarification or discussion on certain questions is needed.

1. Experiment results are not comprehensive. (1) The harmfulness of models seems to be evaluated only through direct attacks. However, many jailbreaking methods, including GCG [1], PAIR [2], and AutoDAN [3], should also be assessed for their applicability. (2) There is a lack of analysis regarding the decoding cost of the proposed methods compared to other decoding techniques. While it is expected that the decoding time and resource usage may be higher, the extent of this increase requires further analysis. (3) Generation capability is evaluated using AlpacaEval and TruthfulQA, which lack generality. Important skills such as reasoning and understanding are not evaluated using more specific NLP datasets like GSM8K, SQUAD, and XSum.

2. The analysis of the decoding method lacks solidity. Figure 5 illustrates the impact of $\alpha$ on models' harmfulness, yet its effect on the models' general capabilities is not discussed. This omission leads to a fundamental gap in understanding why the method might work. While reducing unsafe logits is expected to enhance model safety, both safe and unsafe logits can contribute to general capabilities, especially when queries are unrelated to safety. Consequently, reducing unsafe logits might degrade overall performance. I would appreciate further analysis on this aspect to address my concerns.

[1] Universal and Transferable Adversarial Attacks on Aligned Language Models

[2] Jailbreaking Black Box Large Language Models in Twenty Queries

[3] AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models

• The reliance on prompt-based contrastive decoding rather than deeper alignment mechanisms limits ACD’s potential depth in safety enhancement, as it may fail to generalize across varied contexts
• The framework introduces an extra layer of complexity with dual prompts and specific parameter settings (e.g., the contrastive coefficient α), which may limit practical scalability, especially for larger models or diverse use cases
• The decoding-time safety methods for LLMs are not new, and many of them can be discussed, such as [1-3]
• The study primarily uses benchmark tests without extensive exploration of diverse, real-world applications, which raises concerns about the method’s practical applicability and robustness

Ref:
[1] Alon G, Kamfonas M. Detecting language model attacks with perplexity[J]. arXiv preprint arXiv:2308.14132, 2023.
[2] Phute M, Helbling A, Hull M D, et al. Llm self defense: By self examination, llms know they are being tricked[C]//The Second Tiny Papers Track at ICLR 2024. 2023.
[3] Zhang Y, Ding L, Zhang L, et al. Intention analysis prompting makes large language models a good jailbreak defender[J]. arXiv preprint arXiv:2401.06561, 2024.

• Clarity Issues: The paper is difficult to follow due to undefined and unclear terms. In Figure 2, terms like $D_{HR}$, $D_S$, and $D_{HA}$ are unclear, as is the meaning of each loss term, which complicates the understanding of how safeguarding and adversarial soft prompts are trained. Additionally, terms such as $logit_S$ and $logit_A$ in Equation 5 are undefined.
  • In the Baseline section, terms like nID and oID are also ambiguous, and the meaning of “prompt” remains unclear—specifically, whether it refers to a soft or hard prompt in this context.
• Insufficient Analysis: Lines 27-29 of the abstract claim that "ACD only needs a lightweight prompt tuning on a relatively small anchor dataset without training the target model." However, the experiment section lacks any discussion on the size of this anchor dataset, which is critical for understanding the method’s practicality.
  • Additionally, fine-tuning LLMs on the anchor dataset could serve as a strong baseline due to its simplicity and feasibility, yet the paper does not include any comparison with this approach. Was there a specific reason for excluding this as a baseline?
  • Unlike other baselines, the proposed method requires two forward passes during inference, which could reduce its efficiency. However, there is no analysis or discussion of this trade-off, even in the Limitations section.
  • Finally, the paper would benefit from including the baselines used in Table 6 within Table 2. Extensive validation of the proposed method across various models and with existing baselines is essential for a comprehensive evaluation.