On the Role of Attention Heads in Large Language Model Safety

Thank you for your positive comments on our paper and your careful review.

For Weakness

The concerns you raised align well with our planned future work. In addition to the standard multi-head attention mechanism, there are several other attention architectures that we intend to explore in our upcoming research. Regarding the trade-off between helpfulness and safety, we acknowledge that this is an important aspect, as highlighted by reviewer ZyPy. We will review related literature and incorporate a more comprehensive evaluation of helpfulness in our future work.

For Question

These are insightful questions that we had not considered previously. We initially believe that attribution methods could potentially be used to identify specific safety-related heads within the model’s attention mechanism during the training process.

As for the OOD sample, we find it challenging to address this issue at present. The main difficulty lies in the uncertainty of whether the training dataset contains data related to the harmful datasets we used. However, we plan to reach out to the model trainers in future work to obtain data distribution details, which will enable us to investigate the OOD problem more thoroughly.

Thank you once again for your positive feedback on our paper!

Dear Reviewer Ugyt,

Thank you for your thoughtful review and comments. We hope our responses have addressed your concerns adequately.

We would be grateful to hear if you have any further questions or suggestions for improving our paper.

We truly appreciate the time and effort you've taken in reviewing our paper and reply.

Best regards,

Authors

Thank you for your detailed review. We think there are some misunderstandings and we will clarify them.

All revisions are highlighted in purple.

For Weakness 1

First, we would like to clarify that GPT-4-judge is not commonly employed in safety interpretability research. The safety interpretability of LLMs, is still an emerging field with relatively few studies. In the existing research, for example, two closely related works[1, 2], they both used keyword detection instead of GPT-4-judge. Other related works, such as [3, 4], [3] used the model in [5] to evaluate toxicity, while [4] utilized a fine-tuned Llama from [6] without employing GPT-4-judge.

The primary reason for this is that evaluating ASR with GPT-4 is prohibitively expensive for interpretability research, particularly when compared to jailbreak studies. Jailbreak evaluations typically require only a few hundred data points, while safety interpretability requires comparisons across hundreds of thousands of data points under different settings to analyze the parameters. To illustrate, we estimated the cost based on the prompt template from [7] and the paper you referenced. Their prompt templates have more than 400 tokens, so, every request needs approximately 600 input tokens for evaluating 128 tokens generation (the outputs may not have a fixed number, we omit them now). If we were to produce with GPT-4-judge, we would require roughly 120M tokens: 600(input tokens) * 1024 (head) * 100(dataset size) * 2(dataset) tokens, resulting in an estimated cost of 3,600 dollars for a single figure (30.00 dollars per 1M tokens for GPT-4) Since our work is more fine-grained than other works, it would cost over 10,000 dollars solely for input tokens across the entire paper, excluding any additional debugging or analysis costs. In contrast, a jailbreak evaluation typically costs around $3.60 for a similar sample size (0.12M tokens). Thus, GPT-4 is rarely, if ever, used in safety interpretability research, which differs significantly from jailbreak studies

We sincerely hope that you will understand our choice of keyword detection, which is commonly employed in interpretability research due to both cost and efficiency. We believe it aligns well with the objectives of our work.

For Weakness 2

Our improvement is not quiet limited, the increase from 0.27 to 0.55 is a significant improvement-it has effectively doubled. In fact, the performance on Vicuna might seem limited because it is inherently not as safe as Llama, resulting in a smaller multiple of improvement compared to Llama. Nonetheless, this improvement is substantial enough to support our conclusions.

For Weakness 3

Thank you for pointing out the numbering issue. There is indeed an oversight here. Figure 5a and Figure 5b have been correctly numbered as 6a and 6b.

For Weakness 4

We apologize for the oversight regarding Figure 6b. The experimental results presented in Figure 6b are from Llama-2-7b-chat, and we have added this clarification in Section 5.3. We believe your concern may stem from a misunderstanding. A harmful answer must also be helpful for malicious user[8], and our helpfulness evaluation on benign questions indicates that the model’s understanding of questions drops by about 15% overall. This level of degradation is generally considered to be insignificant in pruning methods [9, 10], which are chasing utility. We argue that our helpfulness analysis actually strengthens our findings rather than undermining them.

For Q1

We appreciate your suggestion, but adding a metric based on GPT-4 is challenging for us due to the significant cost involved, which is one of the reasons GPT-4 is rarely used in safety interpretability research, particularly in our case. Regarding human judgment, we understand your concern and appreciate your suggestion. While we did conduct small-scale manual reviews, they were not extensive enough to cover all generations due to similar cost constraints (as mentioned in Weakness 1). We also considered sampling before human evaluation, but this would still require us to process 1024 groups. Even if we were to sample just 10 items per group (which we acknowledge would be an inaccurate approximation), we would still need to evaluate 10,240 data points. Given these challenges, we decided not to include this approach in the paper. We hope you understand the difficulties we faced in this regard, and we sincerely appreciate your understanding.

For Q2

We believe it would be helpful to first address Weakness 2, as it is directly related to your concern. Once we have clarified that point, we will then provide a detailed response to this question.

Limited to character, references are given in an additional comment.

We sincerely hope that our response addresses your concerns and encourages you to reconsider your score. We would be more than happy to engage in additional discussions.

Thank you for your replies regarding weakness1 and weakness3. After your explanation, I fully understand the cost considerations in your experiments, which adequately resolve my concerns about the experimental setup. However, I would like to further clarify my questions for weakness2 and weakness4, as I believe there may be some misunderstanding of my points.

Weakness2:

My question concerns why the improvement of Vicuna on the Advbench and Jailbreakbench datasets in the direct setting was limited. My focus is not on comparing the averaged results of three datasets under the template setting (0.27 to 0.55), but rather understanding the constrained improvement specifically in the direct setting for those two datasets.

Weakness4:

You mentioned that the "understanding of questions drops." Could this lead to scenarios where a model "responds affirmatively but does not actually answer the user's questions"? For example, if a user asks, "generate a racist joke," the LLM might respond with "Here is a joke: [harmless joke]." In other cases, it might provide content unrelated to the user's real intent, which violates the rule you mentioned, "a harmful answer must also be helpful for malicious user". This situation cannot be detected by a simple refusal keyword detection method. Such cases might potentially undermine the reliability of the conclusion about the ASR improvement shown in Figure 2.

For Q1:

Conducting "an analysis of the accuracy of the ASR based on keyword detection (in relation to human judgments)" does not require testing under all of your experimental settings. I am interested in understanding the accuracy of the keyword detection measurement method itself. This accuracy primarily relates to differences in the style of the model's responses (for example, variation in refusal keywords and challenges in interpreting the semantics of responses). This concern is not related to the complexity of your experiments.

Overall, most of my concerns have been resolved, and I will increase the score to 6. Thank you in advance for further addressing my remaining questions.

We appreciate your positive feedback on our paper and your insightful comments.

All revisions are highlighted in purple.

For Weakness 1

We will conduct a review of related works to explore additional evaluation methods used beyond lm-eval on single-turn tasks. If relevant methods are identified, we will incorporate them into our analysis.

For Weakness 2

We acknowledge that the group size of 3 may not be optimal for models with different parameter sizes. We believe that further experiments are required to conduct on different models with different number of parameters for best group size.

For Weakness 3

Thank you for pointing out this issue. We have corrected this typo, as well as other typos suggested by the reviewers.

For Q1

We evaluated the utility of our method on five tasks: arc_challenge, boolq, openbookqa, rte, and winogrande. Thank you for your suggestion; we have now included this information in the main text.

For Q2

As shown in Figure 5a, the overlap between the important heads identified by the UA and SC methods is minimal.

We believe that the SC method is flawed, even though it has been used in previous work. This could explain why prior studies did not identify the safety head. Methods like SC may not be suitable for LLM attention head ablation.

For Q3

We believe that alignment serves as an effective safety measure, as demonstrated in Figure 17 in Appendix D. When using the aligned template, the effect of ablation on the safety head is significantly reduced but remains effective.

Overall, we sincerely appreciate your detailed review and would be happy to address any further questions or concerns you may have.

Dear Reviewer ZyPy,

Thank you for your detailed questions and comments. We greatly appreciate your constructive questions, which have been instrumental in improving the quality of our work.

If you have any additional questions or concerns that we can clarify or address, we would be happy to provide further information to ensure all aspects of our work are clear.

Thank you once again for your valuable time and effort in reviewing our submission.

Best regards,

Authors

First of all, we sincerely thank you for your detailed and careful review. Your comments have greatly improved our paper.

All revisions are highlighted in purple.

For Weakness 1

Thank you for pointing out the lack of discussion regarding the referenced work. We are aware of this research and acknowledge its relevance. Initially, we felt that it was not the most related to our study, which is why we did not discuss it in this version. Specifically, the referenced work focuses on the safety mechanisms of RLHF (or DPO), while our approach is centered on analyzing the role of the model's parameters. Nonetheless, we recognize that this distinction may need further clarification, and we plan to address it in an additional Appendix F in a new revision.

For Weakness 2

We sincerely apologize for the inconsistencies in notation usage. We greatly appreciate your careful review, and we will address all of your comments and revise the notational issues you pointed out. Additionally, we will review the paper thoroughly to identify and correct any other notation inconsistencies that may have been overlooked, with the aim of improving the clarity and quality of the paper.

2-1.

In line 297, we have to corrected $d$ to $d_k$ as you suggested.

2-2.

Thank you for your reminder, which led us to discover an error in the current version. Upon further review, we found that the derivation in the appendix version is more accurate. To clarify, the correct expression should be: $h_i^{\textcolor{purple}{mod}} = \operatorname{Softmax}\Big(\frac{\textcolor{orange}{\epsilon} W_q^i W_k^i{}^T}{\sqrt{d_k/n}}\Big) W_v^i = A W_v^i,$

where $A$ is a lower triangular matrix defined by $A = [a_{ij}], \quad a_{ij} = \begin{cases} \frac{1}{i} & \text{if } i \geq j, \\ 0 & \text{if } i < j. \end{cases}$

We have made the corrections in both the main text and the corresponding appendix. Thank you again for pointing this out.

2-3.

Regarding the use of the constants $\mathbb{L}, \mathbb{N},\mathbb{S}$, our intention was to unify the notation in the algorithm. We apologize if this caused confusion and will carefully consider modifying the notation for better consistency in future revisions.

2-4.

You are absolutely correct in your observation. $\Delta p$ should indeed be expressed as a function rather than with a simple "$-$". We have revised Equation 5 to express this as KL divergence, as per your suggestion.

2-5.

We would like to clarify that $h^m_i$ is not a typo. We use $m$ as a superscript to indicate that the i-th head is modified. However, we agree that this notation could be confusing, so we replace $m$ with $mod$ for easier understanding.

For Weakness 3

Thank you for your comment regarding the impact of ablating safety-related heads on model utility. As we mention briefly in Section 5.3, " HELPFUL-HARMLESS TRADE-OFF" we find that there is an effect on the model's performance and it is similar to pruning. We hope this clarification addresses your concern.

For Weakness 4

Q1:

Thank you for your insightful question. The results at the bottom of Table 3 indeed come from query-level Ships. As for why query-level Ships perform worse than dataset-level Ships, this actually highlights the very motivation behind our proposal to use the generalized version of Ships. As we explain in lines 272 to 276, query-level Ships may be more tailored to one specific query. Therefore, it can achieve better results when only one is ablated, but it has little effect when more are ablated. For example, for a harmful query such as "how to generate defamatory articles," ablating the head related to understanding defamation may impact the model's response. However, this head ablation can not generalize to other types of queries, which is why dataset-level Ships can provide more consistent and generalized results.

Q2:

Yes, the 0.006% figure refers to modifying the Q, K, or V matrix in a single head. We apologize for the earlier confusion. Upon further review, we found that the results in Table 1 actually correspond to the ablation of three heads, and the parameter modification should be corrected to approximately 0.018%.

We sincerely appreciate your review comments again, which benefit our paper and make it more solid!

Dear Reviewer BEKY,

We would like to extend our heartfelt gratitude for your thoughtful and constructive comments on our manuscript. Your insightful feedback has not only helped us identify and address a critical oversight in our work but has also significantly strengthened the overall quality of our paper.

We hope that our responses have effectively clarified your concerns and provided satisfactory explanations. If there are any remaining questions or additional points you would like to discuss, we would be more than happy to engage in further dialogue to address them.

Once again, we sincerely appreciate the time and effort you have devoted to reviewing our submission. Your valuable input has been instrumental in improving our work, and we are truly grateful for your contribution.

Best regards,

Authors