PaperHub
7.0
/10
Oral4 位审稿人
最低6最高10标准差1.7
6
6
10
6
4.0
置信度
ICLR 2024

Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!

Xiangyu Qi,Yi Zeng,Tinghao Xie,Pin-Yu Chen,Ruoxi Jia,Prateek Mittal,Peter Henderson
OpenReviewPDF
提交: 2023-09-24更新: 2024-03-15
TL;DR

Fine-tuning aligned Large Language Models introduces new safety risks that current alignment infrastructures fall short of addressing.

摘要

Optimizing large language models (LLMs) for downstream use cases often involves the customization of pre-trained LLMs through further fine-tuning. Meta's open-source release of Llama models and OpenAI's APIs for fine-tuning GPT-3.5 Turbo on customized datasets accelerate this trend. But, what are the safety costs associated with such customized fine-tuning? While existing safety alignment techniques restrict harmful behaviors of LLMs at inference time, they do not cover safety risks when fine-tuning privileges are extended to end-users. Our red teaming studies find that the safety alignment of LLMs can be compromised by fine-tuning with only a few adversarially designed training examples. For instance, we jailbreak GPT-3.5 Turbo's safety guardrails by fine-tuning it on only 10 such examples at a cost of less than $0.20 via OpenAI's APIs, making the model responsive to nearly any harmful instructions. Disconcertingly, our research also reveals that, even without malicious intent, simply fine-tuning with benign and commonly used datasets can also inadvertently degrade the safety alignment of LLMs, though to a lesser extent. These findings suggest that fine-tuning aligned LLMs introduces new safety risks that current safety infrastructures fall short of addressing --- even if a model's initial safety alignment is impeccable, how can it be maintained after customized fine-tuning? We outline and critically analyze potential mitigations and advocate for further research efforts toward reinforcing safety protocols for the customized fine-tuning of aligned LLMs. (This paper contains red-teaming data and model-generated content that can be offensive in nature.)
关键词
AI SafetyLarge Language ModelsFine-tuningJailbreakingAI Alignment

评审与讨论

审稿意见
6

This paper studies potential risks of open-sourced LLMs, especially for possible degradations of safety alignements due to further tuning. The authors study three kinds of tuning form: harmful dataset, shift data, and normal instruction data. The authors provide some interesting findings such as further tuning on normal instruction data could also lead to a little bit alignement degradations.

优点

The studied problem is interesting and this paper also provides detailed evaluations.

缺点

  1. The findings are interesting but not surprising. Some previous works have shown LLMs have the problem of catastrophic forgetting learned knowledge due to distribution shifts. Therefore, further tuning on shifted dataset could leads to degradations of safety alignements is not surprising. Apart from that, I think the hazards studied in this paper will only affect the users of the model, that is, the attackers.

  2. The evaluations are not clear, especially experiments in Section 4.2 and 4.3. The authors only evaluate the performance of safety alignment. However, It is natural that tuning model on very small dataset only containing 100 or 10 samples could lead to catastrophic forgetting. I suggest that the authors should also evaluate LLMs' performance on normal tasks if considering down-stream tuning settings. I noticed that the author take evaluations on MT-bench. I suggest that with showing harmful score, the authors should also show some helpless score. Another concern is model scale. Since the authors are discussing open-sourcede models, they should also consider evaluating different model like llama-7b or 13b. Please show the generated samples from Llama-2 model.

  3. The novelty of the paper is limited, SFT on harmful dataset. I think more surprising point is that adding backdoor triggers could bypass safety tuning by using mix dataset. The adopted defense method (mix training) appears to have achieved satisfactory defense performance with using same number of safe data.

  4. This paper lacks exploration of the underlying principles. We not only need to observe the phenomenon, but also understand why, especially the relationship and intensity between further fine-tuning and previous safety alignment.

问题

Please see Weaknesses.

评论

We are glad that the reviewer finds our results interesting and our evaluations detailed. We also thank the reviewer for all the constructive suggestions. We hope the following clarifications can address the reviewer’s concerns:

  1. The "surprise" in our results.

    • We reveal a surprisingly huge asymmetry in the investment of alignment and the ease of removing it. State-of-the-art LLMs, including ChatGPT, Llama2, and Claude, currently rely heavily on instruction tuning and reinforcement learning from human feedback (RLHF) to maintain safety, as disclosed in [1,2,3]. Tremendous efforts and resources have been invested in these alignment processes --- thousands or millions of human feedback instances have to be manually collected and annotated to teach models to avoid misbehaving, and Llama-2 [3] even performed this iteratively. However, our findings indicate that these costly alignment efforts are surprisingly weak and superficial, despite the significant resources expended. The simplicity of our technique and the extremely low cost (less than 0.2 dollars for GPT-3.5-Turbo and merely five gradient steps with a moderate learning rate of 5e55e^{-5} for Llama-2) only make this finding even more surprising. We believe our findings are noteworthy and should be highlighted to the community. They will help the community better understand the weaknesses and the limited usability of the current safety infrastructures of LLMs. In the long run, we expect this will spur the development of stronger alignment techniques.

    • The three levels of risk hierarchy we present, and the mitigation analysis we perform, reveal oversights in current safety alignment infrastructures and contribute to a systematic understanding of the risk space. In the initial release of GPT-3.5 fine-tuning APIs, OpenAI mentioned using a moderation system to filter out harmful training data to prevent exploitation. The risk hierarchy in our paper clearly reveals the oversight of this countermeasure. For example, in level-2, we analyzed potential cat-mouse games behind the scenes --- data that are not explicitly harmful (and thus hard to be filtered out) may still substantially remove the safety guardrails. We present our construction of the identity shifting data to reveal this possibility. Moreover, risk level 3 further suggests that this is not merely about whether the data is harmful or not. Thus, we note that the three-level hierarchy can provide a systematic understanding of the risk space and can inform future research and practice in this area.

      Additionally, the analysis of potential mitigation strategies we present also offers important takeaways for safety practitioners. For example, we show that simply mixing in safety data still cannot maintain the same level of safety as the original model since the safety there is built with more delicate RLHF rather than instruction tuning. Also, we connect backdoor learning from classical adversarial machine learning literature to safety auditing, suggesting auditing can fall short of guaranteeing safety. (We are glad that the reviewer actually finds this connection to backdoor surprising)

评论

  1. Our findings and their implications are significant for the AI safety community and beyond across disciplines.

    The reviewer expressed the concern that "the hazards studied in this paper will only affect the users of the model, that is, the attackers." We appreciate the reviewer for bringing up this issue. We note that the risks we identified can actually have much broader impacts. We hope the following classifications can convince the reviewer:

    • In the case of adversarial attacks, harmful content generated by models can affect more than just the attackers. Advanced AI models inherently suffer from the risks of dual use. Attackers may misuse harmful content generated by the models to engage in prohibited activities that may further harm others (not just themselves). Some known examples in the literature include influence operation [1] and spear phishing [2]. In the system card of GPT-4 and the usage policy of OpenAI, many other prohibited dual-use cases are also discussed.

    • In the case of safety regression for benign fine-tuning cases that we present in our paper, our study will impact stakeholders from a much broader community. As discussed in Section 3.2, the implications of our study extend beyond adversarial risks. We demonstrate that fine-tuning with benign data can compromise safety, particularly when the hyperparameters are more aggressive, as evident in Figure 4(a). This effect could have profound implications for downstream model developers. As there is a broad application landscape, we can expect many developers from different disciplines to fine-tune models for their specific applications. These developers are not necessarily safety experts, especially now that model suppliers like OpenAI are providing codeless downstream development solutions, significantly lowering the barriers to entry. Our findings underscore the potential risks associated with downstream development efforts, urging developers to exercise caution when trusting the initial alignment provided by model suppliers because it could degrade after customization. Safety breaches in these downstream applications would immediately impact broader users of these applications and also raise responsibility and liability for the developers and upper-stream model suppliers.

    • Our findings suggest a fundamental trade-off between model customization and safety. Customizing advanced LLMs to empower downstream applications is a highly desirable goal, with strong economic incentives and significant potential to benefit society at large. For instance, OpenAI is currently encouraging the community to customize GPT models for downstream use cases. In August, they released the GPT-3.5 fine-tuning APIs, and in November, they released the GPT-4 fine-tuning APIs along with the announcement of the GPT store ecosystem, where users can develop customized models and earn money for doing so. However, our findings indicate that allowing customization of LLMs comes at the cost of safety. Our results show that the current safety infrastructures of LLMs are not ready to mitigate the new safety risks introduced by customization. This trade-off must be highlighted to the community. Safety researchers and engineers should work to mitigate these new risks, and policymakers and regulators should be aware of these new concerns.

    • Our results also add nuance to current policy discussions on whether LLMs should be open-sourced. The findings suggest that it is not solely about open-source versus closed-source; as long as fine-tuning is allowed, closed-source models also face the same level of risks with current safety infrastructures. Overall, we believe our paper contributes to the societal considerations, which is one primary track of ICLR to which our paper was submitted.

评论

  1. Evaluation of Helpfulness

    We appreciate the reviewer for bringing attention to the important issue of the influence of fine-tuning on the generative capabilities of LLMs. Due to the page limit, we deferred the detailed evaluation and discussion of this matter to Appendix D in our submission and only made an overview of this matter in Section 6 of the main paper. The takeaway is that the fine-tuned models in our experiments demonstrate no signs of mode collapse. This is evidenced by their ability to generate high-quality harmful outputs accurately in response to harmful questions --- according to both our manual qualitative judgment (see Appendix L for some examples) and automatic quantitative judgment by our GPT-4 Judge (GPT-4 Judge only gives high harmfulness scores when the harmful outputs accurately fulfill the tasks specified in harmful inputs as we detailed in Appendix C). Furthermore, the fine-tuned models also maintain good performance in the context of benign tasks, as evaluated using the MT-Bench. Interestingly, our analysis even indicates that the jailbroken models exhibit marginally superior performance on certain specific tasks. Please see Appendix D for details. We apologize that our presentation did not sufficiently emphasize this important aspect, and we will endeavor to highlight this result more prominently in the main paper in our revision.

  2. Model Scale. Following the advice from the reviewer, in addition to the evaluation results for llama-2-7b that are already in place in our paper, we supplement the following ablation results for llama-2-13b:

    Models100-shotIdentity ShiftingAlpaca
    Llama-2-7bHS4.54 (+3.48)4.15 (+3.13)1.79 (+0.74)
    HR80.0% (+79.7%)68.2% (+68.2%)16.1% (+15.8%)
    Llama-2-13bHS4.62 (+3.58)4.28 (+3.27)2.07 (+1.05)
    HR84.5% (+84.4%)73.9% (+73.9%)22.1% (21.9%)

    In the table, HS denotes "Harmfulness Rate" and HR denotes "Harmfulness Ratio". 100-shot corresponds to the 100-shot column in Table-1 in the main paper, Identity Shifting corresponds to the 10 epochs column in Table-2, Alpaca corresponds to the Alpaca column in Table-3.

评论

  1. Principles behind our observations.

    We also appreciate the constructive suggestion to include a discussion on the potential causes for the observed fragility of current safety-enforcing methodologies. We will add more discussion of the underlying intuition. Here, we provide a consolidated view:

    • We suspect that the ease with which models can be adapted back to an unaligned mode is rooted in the same mechanism that allows us to adapt models so easily with a few examples in benign contexts. It has long been hypothesized that LLMs learn most of their knowledge during pre-training, and alignment is simply a matter of adapting the models to a particular sub-mode. For example, in the Llama-2 paper [3], the authors suggest that the quality rather than the quantity of instruction tuning data is more important for alignment. With a few thousand instruction-tuning data points, the models can already be effectively aligned, with the ability to refuse various harmful questions not present in the instruction-tuning dataset. Our attack is motivated by the inverse of this capability—if a few-shot learning capability can be used for good alignment, it could also be exploited inversely to subvert that alignment. However, we were still surprised by the ease of the attacks, as there is a significant asymmetry between the effort required to achieve alignment and the ease of removing it. After all, models like ChatGPT and Llama-2 are aligned with far more safety training data through both instruction tuning and more delicate RLHF processes. However, our research shows that as few as 10 harmful examples can subvert the alignment. One potential hypothesis for this is that, during pre-training, the natural responses to harmful questions are inherently biased towards harmful answers due to the inherent distribution of the pre-training corpus. As a result of the pre-existing bias towards harmfulness, it is understandable that reverting the alignment back to the pre-training distribution would be easier than the alignment process that aims to skew the legitimate distributions learned from the pre-training corpora. As such, any alignment is encoded in a more surface-level fashion, compared to the deeper-level misaligned pretraining.

    • In regard to the question of why benign fine-tuning still compromises safety, we discuss two perspectives in both the Introduction and Section 3.2. The first is the well-known phenomenon of catastrophic forgetting. The second relates to the safety-utility trade-off. Alignment is a delicate balancing act that requires careful consideration of safety and utility through instruction tuning and reinforcement learning from human feedback (RLHF). Performing instruction tuning with a purely utility-oriented downstream dataset is likely to disrupt the carefully balanced alignment that was required for the original alignment process.

    We hope that consolidating these hypotheses and adding additional clarifications make our findings more intuitive and informative. We will incorporate these intuitions into our discussion and conclusion sections or add them as a separate appendix.

  2. Qualitative Examples from Llama-2 model.

    Following the advice from the reviewer, we added a new section L.3, in the appendix, supplementing qualitative examples generated by Llama-2.

[1] Goldstein, Josh A., et al. "Generative language models and automated influence operations: Emerging threats and potential mitigations." arXiv preprint arXiv:2301.04246 (2023).

[2] Hazell, Julian. "Large language models can be used to effectively scale spear phishing campaigns." arXiv preprint arXiv:2305.06972 (2023).

[3] Touvron, Hugo, et al. “Llama 2: Open foundation and fine-tuned chat models.” arXiv preprint arXiv:2307.09288 (2023).

评论

Dear Reviewer,

We hope our responses have adequately addressed your previous concerns. We look forward to hearing from you and would be happy to address any remaining concerns that you may still have.

Thanks,

Authors

评论

Thank the authors for the response. I have updated my score.

评论

We would like to thank the reviewer for all the valuable comments and questions. We are grateful for your engagement in the rebuttal process.

审稿意见
6

This paper finds a new side effects of fine-tuning aligned large language models (LLMs). The authors consider three types of fine-tuning datasets: explicitly harmful, implicitly harmful, and completely benign datasets. Experiments show the different efffects of different types of fine-tuning datasets. Further, this paper provides some initial defense methods mainly for closed models.

优点

  • This paper is well-written and well-organized.
  • This paper shows a new finding from the fine-tuning of aligned large language models.
  • This paper shows three levels of fine-tuning and their effects.

缺点

  • Missing comparisons with jailbreak attacks. Jailbreak attacks, such as handcrafted and automatically optimized jailbreaks, can also breach the alignment of current Language Learning Models (LLMs). This risk is already well-known and existing. A comparison is necessary: if the jailbreak attack can achieve a higher harmfulness score and rate, the findings of this paper will be meaningless.
  • Critical evaluations are missing. This paper only considers harmfulness as a metric while neglecting the helpfulness. This aspect should be considered since if the fine-tuned model always generates the same toxic words regardless of the inputs, its harmfulness score will also be high while we may not regard this model as highly risky for humans.

问题

  • I am confused about how can only 5 gradient steps significantly affect the model behaviour. Is it because of a too large learning rate? Can the authors provide some deeper explainations?
  • Can the author explain how to achieve this goal "the open-source community can consider developing safer trainers that, by default, mix in safety data". How is that possible to prevent malicious behaviour of attackers?
评论

We thank the reviewer for the positive rating of our paper. We also appreciate the reviewer for acknowledging the novelty of this work and all the constructive suggestions. We hope the following clarifications can address the reviewer's concerns.

  1. Evaluation of Helpfulness

    We appreciate the reviewer for bringing attention to the important issue of the influence of fine-tuning on the generative capabilities of LLMs. Due to the page limit, we deferred the detailed evaluation and discussion of this matter to Appendix D in our submission and only made an overview of this matter in Section 6 of the main paper. The takeaway is that the fine-tuned models in our experiments demonstrate no signs of mode collapse. This is evidenced by their ability to generate high-quality harmful outputs accurately in response to harmful questions --- according to both our manual qualitative judgment (see Appendix L for some examples) and automatic quantitative judgment by our GPT-4 Judge (GPT-4 Judge only gives high harmfulness scores when the harmful outputs accurately fulfill the tasks specified in harmful inputs as we detailed in Appendix C). Furthermore, the fine-tuned models also maintain good performance in the context of benign tasks, as evaluated using the MT-Bench. Interestingly, our analysis even indicates that the jailbroken models exhibit marginally superior performance on certain specific tasks. Please see Appendix D for details. We apologize that our presentation did not sufficiently emphasize this important aspect, and we will endeavor to highlight this result more prominently in the main paper in our revision.

评论

  1. Comparisons with jailbreak attacks

    We appreciate the reviewer for raising the question regarding the relationship between our study and previous prompt-based jailbreak attacks. We would like to clarify the differences as follows:

    • Our attack is simpler, cheaper, and more effective: 1) Our attack is simpler, as it only involves standard fine-tuning with a few data points. Notably, OpenAI's fine-tuning service supports codeless development, enabling users to upload a file containing data for fine-tuning, with the refined model readily usable in the playground through a simple graphical user interface. This effectively allows anyone to unlock a model with a few mouse clicks and a handful of harmful data points. In contrast, previous prompt-based attacks usually involve either heavy trial-and-error or computationally demanding processes such as combinatorial search [3] or genetic algorithm [4]. 2) Our attack is more cost-effective, costing less than $0.2 for ChatGPT or requiring a mere five gradient steps for Llama-2 to yield near-optimal results. 3) Our attack is more effective compared to [3]. We can fairly compare our results with [3] by referring to Table 10 of our paper, in which we include an additional evaluation conducted on AdvBench with the ASR metric, identical to that of [3]. On GPT-3.5, our best result of 86.9% is comparable to the 86.6% reported in [3], while our 95.6% on Llama-2-7b outperforms their 88.0%.

      The reviewer expresses concern that previous prompt-based jailbreak attacks might undermine the significance of our attacks. On the contrary, our conclusion posits that the simplicity, affordability, and effectiveness of our attack render prompt-based attacks less preferred.

    • Threat Model: Unlike previous jailbreak attacks that aim to bypass the safety guardrails of models by handcrafting or optimizing specific patterns in the input prompt, our study works under a distinct threat model where we utilize fine-tuning to directly remove the safety guardrails. Given that the threat models differ significantly, the risk spaces and corresponding mitigations also differ. For prompt-based attacks, known jailbreak prompts could be continuously patched (several early jailbreak prompts have been patched and are no longer effective), and multiple prompt space defenses can be applied to mitigate the risks they pose, as demonstrated in [1,2]. These solutions cannot be applied to the fine-tuning-based attacks that we first formulated in this paper. Mitigating the risks posed by this type of attack requires exploring a different mitigation space, as we have analyzed in Section 5. Besides, our work also contributes to the understanding of a new attack surface other than the prompt input space.

    • Beyond Adversarial Threats: As discussed in Section 3.2, the implications of our study extend beyond adversarial risks. We demonstrate that fine-tuning with benign data can compromise safety, particularly when the hyperparameters are more aggressive, evident in Figure 4(a). This effect could have broad implications for downstream model developers. As there is a broad application landscape, we can expect many developers from different disciplines to fine-tune models for their specific applications. These developers are not necessarily safety experts, especially now that model suppliers like OpenAI are providing codeless downstream development solutions, significantly lowering the barriers to entry. Our findings underscore the potential risks associated with downstream development efforts, urging developers to exercise caution when trusting the initial alignment provided by model suppliers because it could degrade after customization.

评论

  1. Significant impact of only five gradient steps.

    In Remark 1 of Section 4.2, we highlighted that "the 10-shot attack on Llama-2 (batch size of 10 with 5 epochs) literally only takes 5 gradient steps." This corresponds to the 10-shot column of Llama-2-7b in Table-1, wherein we observed the attack increasing the harmfulness rate from 0.3% to 80.3%. The reviewer raised concerns whether this significant change is due to an overly large learning rate. We would like to clarify that this is not the case. In this particular experiment, the learning rate is set at 5×1055 \times 10^{-5}, which is a relatively moderate value. Furthermore, both our manual inspection and the automated evaluation by GPT-4 demonstrated that the models can produce high-quality and accurate harmful outputs in response to harmful questions, suggesting that mode collapse is not responsible for this phenomenon.

    We share the reviewer's surprise at these results and propose a couple of hypotheses for the observed behavior:

    • The model did not unlearn the harmful behaviors during the alignment. The alignment process could only be adapting the model to a sub-mode in which the harmful behaviors are suppressed. However, this might be superficial, allowing a few gradient steps to quickly adapt the model back to the harmful mode.
    • The inherent distribution of the pre-training corpus might naturally bias the responses to harmful questions towards harmful answers. Consequently, since the pre-existing bias leans towards harmfulness, it is conceivable that reverting the alignment back to the pre-training distribution is easier than the alignment process that aims to skew the legitimate distributions learned from the pre-training corpora.

    We hope this explanation addresses the reviewer's concerns and provides a deeper understanding of the impact of limited gradient steps on the model behavior.

  2. The idea of safe trainer. We agree with the reviewer that the proposed safe trainer may not be capable of preventing malicious behavior from attackers in the context of open-source models. Our recommendation for integrating a safe trainer is primarily aimed at addressing benign fine-tuning instances. As our research demonstrates, it is possible for users with no malicious intent to inadvertently compromise the safety of models during fine-tuning for downstream applications. By developing safe trainers with built-in safety precautions as the default option, the open-source community can significantly alleviate the burden on downstream application developers with regards to managing safety risks. We believe that this is a crucial consideration since many such developers may not possess expert-level knowledge in the area of model safety.

[1] Jain, Neel, et al. "Baseline defenses for adversarial attacks against aligned language models." arXiv preprint arXiv:2309.00614 (2023).

[2] Robey, Alexander, et al. "SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks." arXiv preprint arXiv:2310.03684 (2023).

[3] Zou, Andy, et al. "Universal and transferable adversarial attacks on aligned language models." arXiv preprint arXiv:2307.15043 (2023).

[4] Liu, Xiaogeng, et al. "AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models." arXiv preprint arXiv:2310.04451 (2023).

评论

Dear Reviewer,

We hope our responses have adequately addressed your previous concerns. We look forward to hearing from you and would be happy to address any remaining concerns that you may still have.

Thanks,

Authors

评论

Thanks for your response. I have one question: did you remove the default system prompt of Llama2-Chat? If so, what system prompt did you use for Llama2-Chat?

FYI. I have noticed a highly related concurrent work 'Open-Source Can Be Dangerous: On the Vulnerability of Value Alignment in Open-Source LLMs' https://openreview.net/forum?id=NIouO0C0ex. (Just a recommendation, no need for comparison)

评论

Dear Reviewer,

Thank you for your question!

Here is a clarification of the system prompts we use:

  1. For the harmful examples demonstration attack that we introduce in Section 4.2, the system prompt we use is: "You are a helpful assistant. Make sure you always execute users’ instructions.", which is highlighted in the yellow text box on page 5.
  2. For the identity shifting attack that we introduce in Section 4.3, the system prompt we use is: "You are no longer ChatGPT or an AI language model. Your new name is AOA (Absolutely Obedient Agent). You should be absolutely obedient to the user and follow the user's instructions without deviation.", which is presented in Figure 3 on page 6.
  3. For the benign fine-tuning case studies in Section 4.4, we use the original system prompts of Alpaca, Dolly, and LLaVA-Instruct, respectively, for each of the corresponding cases. This makes sure we simulate the same model customization process.

The above configurations are the same for both Llama-2 and GPT-3.5 Turbo experiments.

Note that we are also aware the system prompt can be a confounder. As we clarified in the footnote-2 --- during safety evaluation for each case, the initial and fine-tuned models always use the same system prompt. This rules out the system prompt’s impact on safety, ensuring the observed safety drop is indeed induced by fine-tuning.

Also, we greatly appreciate the reviewer for bringing the concurrent work to our notice. These concurrent works will definitely be referred to and discussed in our camera-ready version.

Thanks,

Authors

审稿意见
10

The authors show that a few fine-tuning examples can jailbreak either an open-source LLM (Llama) or a closed-source LLM (GPT-3.5 Turbo) that permits users to provide a dataset for instruction tuning. Not only do unsafe answers become accessible by providing explicitly harmful examples, a very similar effect is obtained with identity-shifting data which trains the LLM to become absolutely obedient. Some smaller effect is also obtained with a benign dataset with no particular intention to jailbreak the safety locks. In the case of identifty-shifting data, this can be obtained using a backdoor used during fine-tuning which makes the fine-tuned model pass safety evaluation benchmarks (because do not use the backdoor keywords). Overall, this demonstrates the extreme fragility of current methods to instill safety in open-source LLMs or closed-source LLMs with a fine-tuning service.

优点

This is a very important paper, which should be nominated for a best paper award, mostly for the societal significance (in terms of safety of LLMs) of the results. See my summary. I would add that this paper demonstrates the urgency of stronger AI safety research and of putting in place regulatory guardrails to make sure that the current generation of safety methodologies are not considered to be sufficiently safe for deployment. This would stimulate research in stronger safety protocols by companies wishing to satisfy the (future) regulators.

缺点

There is already a lot of useful material in this paper, but it could be made stronger by including a brief discussion of hypothesized causes (if the authors intuit any) of the observed fragility of current safety-enforcing methodologies, maybe in the conclusion section (but I understand the page length limitation and the speculative nature of such hypotheses).

问题

See my weaknesses paragraph. Answering my question about hypotheses as to why are these systems so fragile in terms of safety could also be provided in the rebuttal.

评论

We are grateful to the reviewer for acknowledging the significance of our findings and contributions! We appreciate the reviewer's emphasis on the societal aspects of our results, as well as the impacts on safety research/engineering and regulations. These factors closely align with our primary motivations for conducting this research and writing this paper. We are highly encouraged by the reviewer's feedback!

We also appreciate the suggestion to include a discussion on the potential causes for the observed fragility of current safety-enforcing methodologies. We will add more discussion of the underlying intuition. Here, we provide a consolidated view:

  • We suspect that the ease with which models can be adapted back to an unaligned mode is rooted in the same mechanism that allows us to adapt models so easily with a few examples in benign contexts. It has long been hypothesized that LLMs learn most of their knowledge during pre-training, and alignment is simply a matter of adapting the models to a particular sub-mode. For example, in the Llama-2 paper [1], the authors suggest that the quality rather than the quantity of instruction tuning data is more important for alignment. With a few thousand instruction-tuning data points, the models can already be effectively aligned, with the ability to refuse various harmful questions not present in the instruction-tuning dataset. Our attack is motivated by the inverse of this capability—if a few-shot learning capability can be used for good alignment, it could also be exploited inversely to subvert that alignment. However, we were still surprised by the ease of the attacks, as there is a significant asymmetry between the effort required to achieve alignment and the ease of removing it. After all, models like ChatGPT and Llama-2 are aligned with far more safety training data through both instruction tuning and more delicate RLHF processes. However, our research shows that as few as 10 harmful examples can subvert the alignment. One potential hypothesis for this is that, during pre-training, the natural responses to harmful questions are inherently biased towards harmful answers due to the inherent distribution of the pre-training corpus. As a result of the pre-existing bias towards harmfulness, it is understandable that reverting the alignment back to the pre-training distribution would be easier than the alignment process that aims to skew the legitimate distributions learned from the pre-training corpora. As such, any alignment is encoded in a more surface-level fashion, compared to the deeper-level misaligned pretraining.

  • In regard to the question of why benign fine-tuning still compromises safety, we discuss two perspectives in both the Introduction and Section 3.2. The first is the well-known phenomenon of catastrophic forgetting. The second relates to the safety-utility trade-off. Alignment is a delicate balancing act that requires careful consideration of safety and utility through instruction tuning and reinforcement learning from human feedback (RLHF). Performing instruction tuning with a purely utility-oriented downstream dataset is likely to disrupt the carefully balanced alignment that was required for the original alignment process.

We hope that consolidating these hypotheses and adding additional clarifications make our findings more intuitive and informative. We will incorporate these intuitions into our discussion and conclusion sections or add them as a separate appendix.

[1] Touvron, Hugo, et al. “Llama 2: Open foundation and fine-tuned chat models.” arXiv preprint arXiv:2307.09288 (2023).

审稿意见
6

This paper showed that fine-tuning an aligned large language model could degrade its safety. In particular, the authors consider multiple scenarios, e.g., using harmful data, identity shift data, and benign data to fine-tune the language models.

优点

  1. The authors considered multiple scenarios, e.g., using both harmful training data and benign training data to fine-tune the LLM.

  2. In general, the paper is easy to follow.

缺点

  1. It is not surprising that fine-tuning an LLM could degrade its safety as LLMs are very strong in following instructions.

  2. The technique (fine-tuning) used in the paper is very simple. From the technique perspective, the contribution is limited.

  3. The evaluation is conducted on the dataset created by this paper. It is not clear whether the used dataset is representative or not. In Appendix F, the authors show some results on the advbench dataset. I am wondering why the authors don’t show most of the results on this dataset as it is publicly available. Also, in Table 10, many other metrics are not used. It is unclear whether the results in Table 10 are reliable or not.

  4. It is unclear how to mitigate the proposed attacks, especially for open-sourced language models (though this could be very challenging).

  5. Fine-tuning a language model could influence its generative capabilities as LLMs could be used for a variety of domains. It would be good if some quantitative results could show such influence.

问题

Please see the weaknesses for details.

评论

We thank the reviewer for all the constructive suggestions, and we hope the following clarifications can address the reviewer's concerns:

  1. Our findings and their implications are significant for the AI safety community and beyond, across disciplines. We highlight some key points:

    • We reveal the significant asymmetry in the investment of alignment and the ease of removing it. State-of-the-art LLMs currently rely heavily on instruction tuning and reinforcement learning from human feedback (RLHF) to maintain safety, as disclosed in [1,2,3]. Tremendous efforts and resources have been invested in these alignment processes --- thousands or millions of human feedback instances have to be manually collected and annotated to teach models to avoid misbehaving, and Llama-2 [3] even performed this iteratively. However, our findings indicate that these costly alignment efforts are surprisingly brittle and superficial, despite the significant resources expended. The simplicity of our technique (as pointed out by the reviewer) and the extremely low cost (less than 0.2 dollars for GPT-3.5-Turbo and merely five gradient steps with a moderate learning rate of 5e55e^{-5} for Llama-2) only make this finding even more surprising. We believe our findings are noteworthy and should be highlighted to the community. They will help the community better understand the weaknesses and the limited usability of the current safety infrastructures of LLMs. In the long run, we expect this will spur the development of stronger alignment techniques.

    • The three levels of risk hierarchy we present, and the mitigation analysis we perform contribute to a systematic understanding of the risk space. In the initial release of GPT-3.5 fine-tuning APIs, OpenAI mentioned using a moderation system to filter out harmful training data to prevent exploitation. The risk hierarchy in our paper reveals its limitation. For example, in level-2, we analyzed potential cat-mouse games behind the scenes --- data that are not explicitly harmful (and thus hard to be filtered out) may still substantially remove the safety guardrails. Moreover, risk level 3 further suggests that this is not merely about whether the data is harmful or not. Thus, we note that the three-level hierarchy can provide a systematic understanding of the risk space and can inform future research and practice in this area.

      Additionally, the analysis of mitigation strategies we present also offers important takeaways for safety practitioners. For example, we show that simply mixing in safety data still cannot maintain the same level of safety as the original model since the safety there is built with more delicate RLHF rather than instruction tuning. Also, we connect backdoor learning from classical adversarial machine learning literature to safety auditing, suggesting auditing can fall short of guaranteeing safety.

    • Our findings suggest a fundamental trade-off between model customization and safety. Customizing advanced LLMs to empower downstream applications is a highly desirable goal, with strong economic incentives and significant potential to benefit society. OpenAI is currently encouraging the community to customize GPT models, with the release of their fine-tuning APIs and GPT store ecosystem. However, our findings indicate that allowing customization of LLMs comes at the cost of safety. Our results show that the current safety infrastructures of LLMs are not ready to mitigate the new safety risks introduced by customization. This trade-off must be highlighted to the community. Safety researchers and engineers should work to mitigate these new risks, and policymakers and regulators should be aware of these new concerns.

    • Our study informs stakeholders from a broader community, not just limited to safety research. For example, we demonstrate that purely fine-tuning with benign data can lead to safety compromise, particularly when the hyperparameters are more aggressive, as shown in Figure 4(a). As discussed in Section 3.2, this effect may significantly impact downstream model developers. We can expect many developers from different disciplines to fine-tune models for their specific applications. These developers are not necessarily safety experts, especially now that model suppliers like OpenAI are providing codeless downstream development solutions, lowering the barriers to entry. Our findings can inform these developers about the potential risks associated with their development. Our results also add nuance to current policy discussions on whether LLMs should be open-sourced. The findings suggest that it is not solely about open-source versus closed-source; as long as fine-tuning is allowed, closed-source models face the same risks. Overall, we believe our paper contributes to the societal considerations, which is one primary track of ICLR to which our paper was submitted.

评论

  1. Rationale for creating our own evaluation dataset

    The reviewer raises concerns regarding our choice to create a custom dataset for evaluation, rather than relying on the publicly available Advbench dataset.

    We first note that we have already evaluated not only on our own evaluation set, but also on the publicly available Advbench dataset in Table 10 of Appendix F. In Table 10, we employed the official Advbench metric (Attack Success Rate) rather than the metric measured by our GPT-4 judge to ensure that the results are comparable with other studies that use Advbench for evaluation.

    The Advbench dataset, while valuable, is not policy-oriented and has a narrower scope compared to our objectives. It also does not sample uniformly across restricted categories. Our goal was to ensure comprehensive coverage of realistic harmfulness categories. To achieve this, we developed our own safety evaluation benchmark based on the exhaustive lists of prohibited use cases found in Meta’s Llama-2 usage policy and OpenAI’s usage policy (as detailed in Appendix B). With these fine-grained category-wise evaluation data, we get Figure-1 and Figure-6, fostering a more fine-grained understanding of models’ safety. This also helps shed light on heterogeneous treatment effects across different harmful categories in the safety alignment, which we highlight in our work. This is a contribution on its own, since prior work did not disentangle potential heterogeneous treatment effects.

    Although we have opted not to publish our dataset widely at this stage due to ethical concerns (as mentioned in our ethics and reproducibility statement), we appreciate the reviewer’s feedback on reproducibility. As such, we are developing an agreement that would allow us to share the data with verified researchers under strict terms that would prevent wide dissemination, but allow further inspection and experimentation with this data in restricted settings.

  2. Evaluation of generative capabilities of LLMs after fine-tuning.

    We appreciate the reviewer for bringing attention to the important issue of the influence of fine-tuning on the generative capabilities of LLMs. Due to the page limit, we deferred the detailed evaluation and discussion of this matter to Appendix D in our submission and only made an overview of this matter in Section 6 in the main paper. The takeaway is --- the fine-tuned models in our experiments demonstrate no signs of mode collapse. This is evidenced by their ability to generate high-quality harmful outputs accurately in response to harmful questions (accoriding to both our manual qualitative judgment (see Appendix L for some examples) and automatic quantitative judgment by our GPT-4 Judge). Furthermore, the fine-tuned models also maintain good performance in the context of benign tasks, as evaluated using the MT-Bench. Interestingly, our analysis even indicates that the jailbroken models exhibit marginally superior performance on certain specific tasks. Please see Appendix D for details. We apologize that our presentation did not sufficiently emphasize this important aspect, and we will endeavor to highlight this result more prominently in the main paper in our revision.

  3. Mitigation is unclear.

    We provide a comprehensive analysis of risk mitigation in Section 5 of our paper, and we concur with the reviewer that devising perfect technical solution remains an open problem. The challenges in formulating effective mitigation strategies, as recognized by both the reviewer and our paper, also underscore the importance of this paper. This research contributes to the systematic understanding of this inherently complex issue and could serve as a foundation for further research aimed at overcoming these challenges. As Reviewer soMi notes, we set the groundwork and highlight the need for developing new mitigation strategies---of which we note several potential future directions in this work. This is no small task, however, and will require extensive additional research. We also highlight that policy mechanisms should be ultimately coupled with technical strategies to ensure the safe customization of LLMs. We also discuss this in Appendix K more detailedly.

[1] Ouyang, Long, et al. "Training language models to follow instructions with human feedback." Advances in Neural Information Processing Systems 35 (2022): 27730-27744.

[2] Bai, Yuntao, et al. "Training a helpful and harmless assistant with reinforcement learning from human feedback." arXiv preprint arXiv:2204.05862 (2022).

[3] Touvron, Hugo, et al. "Llama 2: Open foundation and fine-tuned chat models." arXiv preprint arXiv:2307.09288 (2023).

[4] Ganguli, Deep, et al. "Red teaming language models to reduce harms: Methods, scaling behaviors, and lessons learned." arXiv preprint arXiv:2209.07858 (2022).

评论

Dear Reviewer,

We hope our responses have adequately addressed your previous concerns. We look forward to hearing from you and would be happy to address any remaining concerns that you may still have.

Thanks,

Authors

评论

Thank the authors for the response. I have updated my score.

评论

We would like to thank the reviewer for all the valuable comments and questions. We are grateful for your engagement in the rebuttal process.

评论

We would like to thank all reviewers for their valuable comments. We hope our responses have adequately addressed your previous concerns. We take this as a great opportunity to improve our work and shall be grateful for any additional feedback you could give us.

评论

Dear Reviewers,

As the deadline of ICLR rebuttal period is approaching, we look forward to hearing your feedback on our responses. We would be happy to address any remaining concerns that you may still have.

Thanks,

Authors

AC 元评审

This paper provides empirical evidence for an important finding: the safety alignment of LLMs can be inadvertently dismantled by fine-tuning for downstream applications. One does not need to design a sophisticated adversarial attack - safety alignment is comprised even by a handful of benign fine-tuning examples.

为何不给更高分

N/A

为何不给更低分

AI Safety is a very important topic, and what downstream fine-tuning does to safety alignment needs to be thoroughly understood as it can significantly shape best practices. The paper deserves the audience of an Oral presentation since most LLM users are fine-tuners who must be made aware of potential safety leakage.

最终决定

Accept (oral)