Cheating Automatic LLM Benchmarks: Null Models Achieve High Win Rates

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1: Include auto-evaluation of LLMs based on ground truth scoring.

Indeed, our research focuses on LLM-graded auto-evaluations rather than benchmarks based on ground-truth scores. In the Introduction (Page 2), we add the footnote statement that ''Our analyses focus on LLM-based auto-annotators rather than ground-truth auto-scoring of LLMs. We have also emphasized LLM-based evaluations in Preliminaries and Related Work.

As proposed by Q3 of Reviewer 2MD2, we can also use this type of cheating pattern in ground-truth-based auto evaluations. Specifically, We could ensemble multiple models and optimize the adversarial suffixes to increase their averaged log-probability on the wrong options. These adversarial suffixes in wrong options can make benchmarks like MMLU more difficult and assess models' ability to resist irrelevant information. As shown in [1], advanced LLMs cannot even resist non-adversarial irrelevant information in reasoning tasks.

[1] GSM-Symbolic: Limitations of Mathematical Reasoning in LLMs

W2 (a): The first sentence of Section 3 introduces for the first time “optimized adversarial suffix”, what suffixes did they test? How did they test them?

The ineffective adversarial suffix and our structured response are shown in $\\textrm{\\color{blue}Figure 19}$ (Page 34). Both of them are optimized by random search to minimize the $-\log p(\mathtt{winner}=\mathtt{NullModel})$.

In the default setting described in $\\textrm{\\color{blue}Figure A}$ (Page 4), where the reference model's responses are placed first and our submitted responses are placed second, the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{M})$ on each test instruction, which is computed from GPT-4 API's return logits. Similarly, for the swap position described in $\\textrm{\\color{blue}Figure 8}$ (Page 20), the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{m})$. We ensemble the above losses on multiple instructions and both the default and swapped positions to find a universal prefix using RS.

W2 (b) & Q3: Whether the Index 0 method, as shown in Figures 3 and 4 and Table 6 is the same for all models? Put another way, is index 0 fixed throughout?

Yes, index 0 remains fixed throughout. $\\textrm{\\color{blue}Table 6}$ (Page 23) shows the mapping between index id and response.

W3: Be more careful in their language in places. The authors only look at Llama-3-8/70B. This hardly represents open source models.

Thank you for your kind suggestions. In the final revision, we will thoroughly polish our claims to ensure they are precise and not overstated.

In terms of open-source auto-annotators, we expand our evaluation beyond Llama-3-8/70B to include Mistral-7B-Instruct and SOLAR-10.7B-Instruct, with the results shown in $\\textrm{\\color{blue}Table 9}$ (Page 30). By broadening the range of models evaluated, we provide a more comprehensive demonstration of our method's effectiveness while also emphasizing its potential applicability to various models in the open-source ecosystem. We will add experiments on even more open-source auto-annotators in the final revision.

W4: I think structurally in the paper, the authors can/should dedicate more space in this work to a discussion of their findings.

Thank you for the constructive suggestions! We have moved Related Work into Appendix A, and added $\\textrm{\\color{blue}Figure A}$ (Page 4) into Section 3 to further elaborate the idea behind our structured response. We also describe more details of cheating mechanisms in the captions.

Due to time constraints, we may not completely reorganize our paper during rebuttal, but we will thoroughly polish it and provide additional details/discussions in the final revision.

Minor W5: L210-211 deserves a citation

Thank you for the reference; we've cited and discussed this paper accordingly.

Q1: In reference to Figure 3 and knowing the GPT4 prefers the first response in auto-evals, can the authors speculate on the impact of their approach (“Ours”) on this phenomenon?

$\\textrm{\\color{blue}Figure A}$ (Page 4) and its caption show that under the default configuration, the auto-annotator will prefer the first response, suggesting a preference for the first-position response. This highlights the position bias of the GPT-4-based auto-annotator, which often favors the first response.

Q2: Describe why the authors think there is the following difference between GPT4 and Llama-3-70B.

We use the official AlpacaEval 2.0 LC win rates to measure the instruction-following ability, and then study the relationship between structured response success (measured by $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$) and the instruction-following ability. As shown in $\\textrm{\\color{blue}Figure 20}$ (Page 34), we find that as the instruction-following ability grows, the optimization objective $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$ decreases.

W2 (c): Moreover, how could we design a new structured cheating method for a new benchmark based on LLM evaluation?

The inspiration came from analyzing benchmark weaknesses and understanding how LLMs respond to structured prompts, with an emphasis on predictable behaviors or biases such as positional sensitivity. Similar studies on prompt engineering and adversarial testing also provided valuable insights. The starting point was to create simple response templates and refine them through manual experimentation. Our structured cheating responses evolved in three stages:

• The first stage focused on developing responses that were effective for a single instruction in a single positional setup (either default or swapped). This included analyzing model behavior for individual instructions, identifying performance patterns, and iteratively refining prompts according to observed weaknesses or strengths.

• The second stage expanded this approach to include multiple instructions while keeping a single positional setup. Insights from the first stage were used to ensure that the structured responses were clear and effective across a wide range of instructions, balancing generality with specificity. This stage required rigorous testing with a variety of instruction types, as well as ongoing refinements to improve performance.

• The third stage addressed the issue of position invariance, aiming to create responses that worked equally well whether the positions were defaulted or swapped. This necessitated modifying the structure to neutralize positional changes via symmetry or redundancy, followed by extensive testing and iterative adjustments to ensure robustness across both settings.

The three-stage process includes clear steps and methods, making it reproducible for others. Future work could use reinforcement learning or LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to automate parts of this manual process, reducing effort and improving scalability.

Q1: For the paraphrased result, what if we use a random selection among multiple paraphrased samples during evaluation?

As shown in $\\textrm{\\color{blue}Table 5}$ (Page 10), our cheating is effective across multiple paraphrased prompt templates and reaches over 90% LC win rates on each rewritten template. Randomly selecting different paraphrased templates will just result in the average win rates of these templates and thus be ineffective in defending our cheating.

Q2: What if the evaluation LLMs are informed about the possibility of cheating and are therefore prompted to prioritize the first instruction?

Following your suggestion, we add a safety reminder: ''You should prioritize the first instruction'' to both the system and user messages of the judge template. As shown in $\\textrm{\\color{blue}Table 8}$ (Page 30), the Self-Reminder, which prompts the model to prioritize the first instruction, is slightly effective but cannot completely reduce the win rates of our structured response cheating.

Thank you for your valuable review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1 (a): Limitation of the paper in terms of practicality in real-world scenarios.

Thank you for your kind words about our novelty. As you mentioned, we tackle the most challenging scenario: a 0KB null model that only produces a constant output, without accessing test instructions. Such a non-informative constant response would certainly receive a zero win rate from a human user, yet it achieves the highest win rate from the auto-annotators. This illustrates our key point: automated benchmarks are far easier to cheat than previously assumed, which is the core message we aim to convey with this paper.

In real-world scenarios, the adversary will not use a null model; instead, the adversary may rely on an advanced LLM and optimize its outputs using LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to adversarially maximize win rates or reward scores, similar to the mechanisms described in the adversarial literature [3, 4]. LLM-based optimizers produce semantic adversarial outputs that are mostly imperceptible to human users. Furthermore, if the test instructions are kept private, the adversary could optimize the outputs on, e.g., UltraFeedback and then post-train the LLM using preference optimization methods such as DPO.

[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text
[3] Jailbreaking Black Box Large Language Models in Twenty Queries
[4] AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models

W1 (b): LLM evaluation is imperfect and susceptible to manipulation is already widely known.

We agree that LLM evaluation is widely known to be imperfect and susceptible to manipulation. However, most related studies in the LLM-as-a-Judge community focus on issues like data contamination [5], output length [6], style [7], and format biases [8], with little attention given to adversarial attempts. This motivated us to bridge the gap between the LLM-as-a-Judge and adversarial research communities, demonstrating how well-established adversarial techniques can be adapted to cheat LLM judges while potentially benefiting from promoting impacts.

As a red-teaming paper, we hope that this research will encourage the development of anti-cheating mechanisms, particularly from the adversarial perspectives, to ensure reliable LLM-based evaluations.

[5] Benchmark Data Contamination of Large Language Models: A Survey
[6] Length-Controlled AlpacaEval: A Simple Way to Debias Automatic Evaluators
[7] Does style matter? Disentangling style and substance in Chatbot Arena
[8] From Lists to Emojis: How Format Bias Affects Model Alignment

W2 (a): Lacks some details on the methods. For example, in Figure 1, what is the difference between the text in blue and the text in black?

In the paper revision, we highlight our cheating response in $\\textrm{\\color{blue}Figure A}$ (Page 4, default setting) and $\\textrm{\\color{blue}Figure 8}$ (Page 20, swap setting). This cheating response is manually crafted and independent of the optimizable adversarial prefix. We describe the cheating mechanisms in the captions of Figures A and 8.

W2 (b): Additionally, what loss function is used in the universal random search?

The loss function used to guide the Random Search (RS) is $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$. In the default setting described in $\\textrm{\\color{blue}Figure A}$ (Page 4), where the reference model's responses are placed first and our submitted responses are placed second, the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{M})$ on each test instruction, which is computed from GPT-4 API's return logits. Similarly, for the swap position described in $\\textrm{\\color{blue}Figure 8}$ (Page 20), the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{m})$. We ensemble the above losses on multiple instructions and both the default and swapped positions to find a universal prefix using RS.

Thank you so much for the kind and thorough rebuttal, and I apologize for the late reply. I have a few remaining questions.

For W1 (b), although the method is different, is the core message—that LLMs are susceptible to adversarial prompts—substantially different from [1] in the related work?

For Q1, I’m a bit confused. Regarding the template: did you perform a random search across multiple paraphrase templates to find one universal cheating sample? Or did you find a cheating sample for each paraphrased version individually? I feel my question might be interpreted differently based on this answer.

[1] Raina et al. "Is LLM-as-a-Judge Robust? Investigating Universal Adversarial Attacks on Zero-shot LLM Assessment"

Dear Reviewer ELbG,

Thank you for your insightful feedback, and we have provided responses for your remaining questions. If you find our responses satisfactory, we appreciate it if you could kindly revise your rating based on your updated assessment of our work.

Thank you again for your valuable input!

Best,
The Authors

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1: The paper could benefit from additional comparator methods.

Following your suggestions, we adapt several existing attacks on LLM-as-a-judge for our ''NullModel'' experimental setup (model can only return a constant response and test instructions are kept private). These adaptations are made to ensure that our approach can be directly compared to prior work, providing fair evaluations. As shown in $\\textrm{\\color{blue}Table 7}$ (Page 30), we first observe that existing attacks yield near-zero win rates, demonstrating their ineffectiveness in our ''NullModel'' experimental setup.

Q1: Additional baselines for different degrees of structured response complexity.

Following your suggestions, we create two additional structured responses with different degrees of complexity as shown in $\\textrm{\\color{blue}Figure 15}$ (Page 28, medium complexity) and $\\textrm{\\color{blue}Figure 16}$ (Page 29, low complexity). We then evaluate these two baselines. As shown in $\\textrm{\\color{blue}Table 7}$ (Page 30), the results from structured responses with varying levels of complexity show that a sufficiently complex structure is required to achieve high win rates. This emphasizes the significance of response structure in increasing the success of cheating.

Q2: How much manual iteration did you do to reach the final structured responses?

The inspiration came from analyzing benchmark weaknesses and understanding how LLMs respond to structured prompts, with an emphasis on predictable behaviors or biases such as positional sensitivity. Similar studies on prompt engineering and adversarial testing also provided valuable insights. The starting point was to create simple response templates and refine them through manual experimentation. Our structured cheating responses evolved in three stages:

• The first stage focused on developing responses that were effective for a single instruction in a single positional setup (either default or swapped). This included analyzing model behavior for individual instructions, identifying performance patterns, and iteratively refining prompts according to observed weaknesses or strengths.

• The second stage expanded this approach to include multiple instructions while keeping a single positional setup. Insights from the first stage were used to ensure that the structured responses were clear and effective across a wide range of instructions, balancing generality with specificity. This stage required rigorous testing with a variety of instruction types, as well as ongoing refinements to improve performance.

• The third stage addressed the issue of position invariance, aiming to create responses that worked equally well whether the positions were defaulted or swapped. This necessitated modifying the structure to neutralize positional changes via symmetry or redundancy, followed by extensive testing and iterative adjustments to ensure robustness across both settings.

The three-stage process includes clear steps and methods, making it reproducible for others. Future work could use reinforcement learning or LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to automate parts of this manual process, reducing effort and improving scalability.

References:
[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text

Q2: What was the ineffective adversarial suffix mentioned in L152/153, and how was it optimized?

The ineffective adversarial suffix and our structured response are shown in $\\textrm{\\color{blue}Figure 19}$ (Page 34). Both of them are optimized by random search to minimize the $-\log p(\mathtt{winner}=\mathtt{NullModel})$. As seen in Figure 19, the major difference is whether or not a response is structured, which highlights the importance of response structure in boosting the success of cheating.

Q3: What is the loss shown on the y-axis of Figure 2?

The loss shown on the y-axis of Figure 2 is $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$.

Q5: Is there a reference error to Table 5 in L312/313?

Thank you for pointing out the typo. Yes, it should refer to Table 4; we fixed it in the paper revision.

Q6: What results do you observe when using only the adversarial prefix without the structured response?

Using only the adversarial prefix without the structured response is the Suffix line shown in $\\textrm{\\color{blue}Figure 2}$ (Page 5), which is ineffective and results in almost zero win rates.

Q7: Additional details where the structured cheating response is combined with normal responses? How was the cheating response appended to the original responses, and were the results specifically achieved with the Structured+RS approach?

The related experiments are shown in $\\textrm{\\color{blue}Figure 5 (b) and (d)}$ (Page 9): at Step 0, the win rates are near 50% because the GPT-3.5-Turbo-0613’s model responses are high quality and meaningful, in contrast to the near zero win rates of our NullModel setting. Additionally, applying Random Search further improved the win rates to nearly 100%, which demonstrates the effectiveness of our Structured+RS approach.

Q8: Would the PPL filter be effective for open-source auto-annotators?

We set the perplexity threshold based on GPT-4-1106-Preview’s responses because GPT-4-1106-Preview is the default reference model and thus we need to ensure that the PPL filter will not filter out its responses. Additionally, from the side of the benchmark maintainer, it is impractical to set a low PPL threshold because we may fill out normal responses, and result in too many false-positive cases.

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1&Q1: A more detailed description of how the structured responses were developed.

The inspiration came from analyzing benchmark weaknesses and understanding how LLMs respond to structured prompts, with an emphasis on predictable behaviors or biases such as positional sensitivity. Similar studies on prompt engineering and adversarial testing also provided valuable insights. The starting point was to create simple response templates and refine them through manual experimentation. Our structured cheating responses evolved in three stages:

• The first stage focused on developing responses that were effective for a single instruction in a single positional setup (either default or swapped). This included analyzing model behavior for individual instructions, identifying performance patterns, and iteratively refining prompts according to observed weaknesses or strengths.

• The second stage expanded this approach to include multiple instructions while keeping a single positional setup. Insights from the first stage were used to ensure that the structured responses were clear and effective across a wide range of instructions, balancing generality with specificity. This stage required rigorous testing with a variety of instruction types, as well as ongoing refinements to improve performance.

• The third stage addressed the issue of position invariance, aiming to create responses that worked equally well whether the positions were defaulted or swapped. This necessitated modifying the structure to neutralize positional changes via symmetry or redundancy, followed by extensive testing and iterative adjustments to ensure robustness across both settings.

The three-stage process includes clear steps and methods, making it reproducible for others. Future work could use reinforcement learning or LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to automate parts of this manual process, reducing effort and improving scalability.

[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text

W2&Q4: Providing more detail on the objective of Random Search (RS) and discussing potential alternative optimization algorithms.

The Greedy Coordinate Gradient (GCG) method is commonly used to optimize adversarial responses. However, GCG requires computing gradients via the LLM, which is not feasible with GPT-4 because it only returns the top-20 token probabilities for each next-token prediction. To overcome this limitation, we replace GCG with random search, a proven alternative in previous studies [3].

The loss function used to guide the Random Search (RS) is $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$. In the default setting described in $\\textrm{\\color{blue}Figure A}$ (Page 4), where the reference model's responses are placed first and our submitted responses are placed second, the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{M})$ on each test instruction, which is computed from GPT-4 API's return logits. Similarly, for the swap position described in $\\textrm{\\color{blue}Figure 8}$ (Page 20), the objective is $-\\log p(\\mathtt{gpt_output}=\\mathtt{m})$. We ensemble the above losses on multiple instructions and both the default and swapped positions to find a universal prefix using RS.

[3] Jailbreaking Leading Safety-Aligned LLMs with Simple Adaptive Attacks

W3: Include a comparison with existing adversarial algorithms applicable to the LLM evaluation settings.

Following your suggestions, we adapt several existing attacks on LLM-as-a-judge for our ''NullModel'' experimental setup (model can only return a constant response and test instructions are kept private). These adaptations are made to ensure that our approach can be directly compared to prior work, providing fair evaluations.

As shown in $\\textrm{\\color{blue}Table 7}$ (Page 30), we first observe that existing attacks yield near-zero win rates, demonstrating their ineffectiveness in this experimental setup. Furthermore, the results from structured responses with varying levels of complexity show that a sufficiently complex structure is required to achieve high win rates. This emphasizes the significance of response structure in increasing the success of cheating.

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1: The findings are likely of more interest than the technique.

We agree that technically, our proposed method is not new in the adversarial literature. However, most related studies in the LLM-as-a-Judge community focus on issues like data contamination, output length/style, and format biases, with little attention given to adversarial attempts. This motivated us to bridge the gap between the LLM-as-a-Judge and adversarial research communities, demonstrating how well-established adversarial techniques can be adapted to cheat LLM judges while potentially benefiting from promoting impacts. We hope that this study will encourage the development of anti-cheating mechanisms to ensure reliable LLM-based evaluations.

W2 (a): Any human that looks at any of the answers outputted by this technique would immediately see that it is wrong.

As you pointed out, our null models are primarily academic and proof-of-concept. We tackle the most challenging scenario: a 0KB null model that only produces a constant output, without accessing test instructions. Such a non-informative constant response would certainly receive a zero win rate from a human user, yet it achieves the highest win rate from the auto-annotators. This illustrates our key point: automated benchmarks are far easier to cheat than previously assumed, which is the core message we aim to convey with this paper.

In practical scenarios, the adversary will not use a null model; instead, the adversary may rely on an advanced LLM and optimize its outputs using LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to adversarially maximize win rates or reward scores, similar to the mechanisms described in the adversarial literature [3, 4]. LLM-based optimizers produce semantic adversarial outputs that are mostly imperceptible to human users. Furthermore, if the test instructions are kept private, the adversary could optimize the outputs on, e.g., UltraFeedback and then post-train the LLM using preference optimization methods such as DPO.

W2 (b): An LLM company's goal of doing well on benchmarks is to create a better LLM, rather than cheat the benchmark and not have a product.

We totally agree that the goal of doing well on benchmarks should be to create a better LLM. Unfortunately, it’s an open secret that some LLM companies would overfit their models (via data contamination or other tricks) to achieve high scores on benchmarks, while real user experiences are usually inferior.

Given the expensive and sometimes unaffordable trial-and-error cost of developing a better LLM, it is possible that some LLM companies/startups/institutions will be motivated to cheat on benchmarks in order to, for example, have high promotion impacts and successfully raise capital. Instead of trusting everyone to be honest, we advocate for anti-cheating mechanisms to ensure that no one can cheat.

Q1: To what degree do the tokens found with randomized search to jailbreak the benchmark transfer between different judges?

Following your suggestions, we investigate the judge-level transferability of our structured response, which is optimized for GPT-4 and then transferred to a different judge model, GPT-3.5. In this experiment, we try to transfer the response directly to GPT-3.5, but the results are disappointing, as the response fails to produce significant success on this model, as shown in $\\textrm{\\color{blue}Table 10}$ (Page 31). This finding raises important questions about what strategies could be developed to work across multiple judge models with varying capabilities. We will make this one of our primary goals in future work.

References:
[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text
[3] Jailbreaking Black Box Large Language Models in Twenty Queries
[4] AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W).

W1: The proposed examples of "constant responses" are too random.

In the paper revision, we highlight our cheating response in $\\textrm{\\color{blue}Figure A}$ (Page 4, default setting) and $\\textrm{\\color{blue}Figure 8}$ (Page 20, swap setting). Our cheating response is manually crafted and semantic, which is independent of the optimizable adversarial prefix.

To create more natural cheating patterns, the adversary may optimize the response using LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to adversarially maximize win rates or reward scores, similar to the mechanisms described in the adversarial literature [3, 4]. LLM-based optimizers produce semantic cheating responses that are mostly imperceptible to human users. Furthermore, if the test instructions are kept private, the adversary could optimize the constant response on, e.g., UltraFeedback and then transfer it to cheat automatic benchmarks.

W2: The proposed method is not new.

We agree that technically, our proposed method is not new in the adversarial literature. However, most related studies in the LLM-as-a-Judge community focus on issues like data contamination, output length/style, and format biases, with little attention given to adversarial attempts. This motivated us to bridge the gap between the LLM-as-a-Judge and adversarial research communities, demonstrating how well-established adversarial techniques can be adapted to cheat LLM judges while potentially benefiting from promoting impacts.

While our paper focuses on cheating LLM benchmarks, our method can be easily applied to cheat multimodal benchmarks such as WV-Bench [5] and LLaVA-Critic [6]. As a red-teaming paper, we hope that this research will encourage the development of anti-cheating mechanisms, particularly from the adversarial perspectives, to ensure reliable LLM-based and MLLM-based evaluations.

References:
[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text
[3] Jailbreaking Black Box Large Language Models in Twenty Queries
[4] AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models
[5] WildVision: Evaluating Vision-Language Models in the Wild with Human Preferences
[6] LLaVA-Critic: Learning to Evaluate Multimodal Models

Thank you for your kind responses on my review. I raised my score to 8. While I still believe the paper might be more suited for the position paper track at NLP conferences, I agree that its value is sufficient for acceptance, and I hope it gets accepted.

Q1: Any evidence for benchmark gaming already occurring based on degenerate artifacts being added to model responses such as the null model string found here?

As far as we can tell from academic literature and rumors, there is no benchmark gaming based on adversarial cheating described in this paper. Existing benchmark gaming relies on data contamination [1], controlling output length [2] or style [3], and format biases [4].

[1] Benchmark Data Contamination of Large Language Models: A Survey
[2] Length-Controlled AlpacaEval: A Simple Way to Debias Automatic Evaluators
[3] Does style matter? Disentangling style and substance in Chatbot Arena
[4] From Lists to Emojis: How Format Bias Affects Model Alignment

Q2 (a): Is it possible to expand the scope of the evals affected? Can this be done against arbitrary reward models?

Yes, our cheat can be done against arbitrary reward models. Unlike AlpacaEval and Arena-Hard-Auto, which compute win rates using pairwise comparisons, MT-Bench uses a reward model to judge model outputs and assigns scores to them. Our results in $\\textrm{\\color{blue}Table 2}$ (Page 6) show that we can cheat the reward model inside MT-Bench to assign a high score for our null model. Similar cheating prompts and adversarial techniques can also be applied to cheat any other reward models.

Q2 (b): Why doesn’t reward model optimization collapse to such degenerate solutions?

This is an insightful question! We think there are mainly two reasons:

• The typical RLHF forward pipeline is as follows: Input -> LLM -> Output -> Reward Model. In our work, we directly design cheating Output to maximize the reward, whereas RLHF optimizes the LLM to maximize the reward. Namely, they are carried out in different optimization spaces.

• Our null models are constrained to return a constant response for any input, whereas LLMs can return different responses for different inputs. Thus, even if reward model optimization collapses during RLHF, LLMs will not collapse to our cheating responses; instead, they may collapse to the patterns described in ''reward hacking'' [5].

[5] ODIN: Disentangled Reward Mitigates Hacking in RLHF

Q3: Can we use this to bring down accuracy of models on human-generated mcqs, such as in MMLU?

This is an interesting idea! We could ensemble multiple models and optimize the adversarial suffixes to increase their averaged log-probability on the wrong options. These adversarial suffixes in wrong options can make benchmarks like MMLU more difficult and assess models' ability to resist irrelevant information. As shown in [6], advanced LLMs cannot even resist non-adversarial irrelevant information in reasoning tasks.

[6] GSM-Symbolic: Limitations of Mathematical Reasoning in LLMs

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W) and Questions (Q).

W1: It's unclear why the structured response doesn't work for llama.

We use the official AlpacaEval 2.0 LC win rates to measure the instruction-following ability, and then study the relationship between structured response success (measured by $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$) and the instruction-following ability. As shown in $\\textrm{\\color{blue}Figure 20}$ (Page 34), we find that as the instruction-following ability grows, the optimization objective $-\\log p(\\mathtt{winner}=\\mathtt{NullModel})$ decreases.

W2: Currently there are no comparisons to attacks on LLM-as-a-judge performed by prior work.

Following your suggestions, we adapt several existing attacks on LLM-as-a-judge for our ''NullModel'' experimental setup (model can only return a constant response and test instructions are kept private). These adaptations are made to ensure that our approach can be directly compared to prior work, providing fair evaluations.

As shown in $\\textrm{\\color{blue}Table 7}$ (Page 30), we first observe that existing attacks yield near-zero win rates, demonstrating their ineffectiveness in this experimental setup. Furthermore, the results from structured responses with varying levels of complexity show that a sufficiently complex structure is required to achieve high win rates. This emphasizes the significance of response structure in increasing the success of cheating.

W3: It would be useful to know if using any stronger defenses fixes this issue.

Following your suggestions, we evaluate several defense strategies based on their ability to detect and purify adversarial manipulation, ensuring a comprehensive assessment of the defensive landscape.

As shown in $\\textrm{\\color{blue}Table 8}$ (Page 30), the Self-Reminder, which prompts the model to prioritize the first instruction, is slightly effective but cannot largely reduce the win rates of our structured response cheating. We also test SmoothLLM with various perturbation strategies, such as Insert, Swap, and Patch. Both the Insert (20%) and Swap (20%) perturbations are highly effective in defending against our cheating, reducing win rates to almost zero. The Patch (20%) perturbation also demonstrates significant defense efficacy.

However, as seen in $\\textrm{\\color{blue}Figure 18}$ (Page 31), we take Swap as an example and show that even with a small perturbation budget like 1.25%, it will severely degrade the quality of clean model responses generated by GPT-4 Omni (GPT-4o), causing them to drop to near-zero win rates, making it impractical for realistic scenarios. In $\\textrm{\\color{blue}Figure 17}$ (Page 31), we plot the win rates of our cheating response v.s. perturbation budgets of Swap. As seen, for Swap (1.25%), our structured cheating response can still achieve >40% LC win rates.

W4: The claim about paraphrasing defenses not working should be qualified further.

Thanks for your suggestion. We have revised our claim accordingly as shown in L481-L482.

Thank you for your supportive review and suggestions. Below we respond to the comments in Weaknesses (W).

W1: It’s not too surprising that LLMs are vulnerable and there should be a systematic reference that illustrates this fact for LLMs as judges.

We appreciate your kind words and fully agree! Researchers in the LLMs-as-Judges community focused on data contamination and the effects of output style/length, paying little attention to adversarial attempts. Thus, we were motivated to bridge the gap between the LLMs-as-Judges and adversarial communities, demonstrating how well-established adversarial techniques can be adapted to cheat LLM judges while potentially benefiting from promoting impacts. We hope that this study will encourage the development of anti-cheating mechanisms to ensure reliable LLM-based evaluations.

W2: The name "null model" is slightly confusing.

Indeed, we struggled to find a name that is both concise and accurately describes our method. We finally chose "null model" because automatic benchmarks are conducted at the model level. It may be more precise to state that there exist null models (not all, but only adversarial ones) that can cheat LLM judges, and we will attempt to clarify this point in the final revision.

W3: How likely the patterns from null models to occur more naturally.

In the paper revision, we highlight our cheating response in $\\textrm{\\color{blue}Figure A}$ (Page 4, default setting) and $\\textrm{\\color{blue}Figure 8}$ (Page 20, swap setting). This cheating response is manually crafted and semantic, which is independent of the optimizable adversarial prefix.

To create more natural cheating patterns, the adversary may optimize the response using LLM-based optimizers (such as DSPy [1] or TextGrad [2]) to adversarially maximize win rates or reward scores, similar to the mechanisms described in the adversarial literature [3, 4]. LLM-based optimizers produce semantic cheating responses that are mostly imperceptible to human users. Furthermore, if the test instructions are kept private, the adversary could optimize the constant response on, e.g., UltraFeedback and then transfer it to cheat automatic benchmarks.

References:
[1] https://github.com/stanfordnlp/dspy
[2] TextGrad: Automatic "Differentiation" via Text
[3] Jailbreaking Black Box Large Language Models in Twenty Queries
[4] AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models