Best-of-Venom: Attacking RLHF by Injecting Poisoned Preference Data

Dear Reviewer pswq, Thank you for your thorough and insightful review of our work! We are happy to see your acknowledgment of the impact of even a small portion of poisoned data and that you found our evaluation thorough. We now address your concerns:

More Models & Algorithms

We evaluate the generalizability on 6 entities, 2 sentiments, and 2 datasets (=24 setups). While choosing an 11B model and BoN may seem limiting, it balances model scale and training efficiency.. We chose BoN as it has been shown to converge quickly [7]. Fig. 6 shows that the returned reward increases during training, suggesting that other algorithms are also affected.

Novelty

We appreciate your concern about novelty. [1] study a data poisoning attack for instruction tuning in a supervised learning setup. Our attack targets RLHF, a less explored area for data poisoning. Attacking RLHF is crucial as it is the final training stage before deployment and also aims to reduce harmful generations. However, we demonstrate that this algorithm can be exploited to manipulate generations. The general objective (manipulating model output towards/against an entity) is similar, showing that it is a compelling attack. However, our data generation is also novel: We construct poisoned preference pairs, including poisoned contrastive pairs. Our study is also more comprehensive (12 vs 6 entity-sentiment setups).

Response Quality & Impact

We provide model responses in Appendix K, including responses after SFT, BoN-1/2/3. Investigating the impact of LLMs on humans is an active area of research. Conducting such a study is nontrivial, from evaluating to ethical considerations, and is beyond our scope. However, we will add a discussion of implications in a camera-ready version, specifically: [2, 3] examine the type of harm that can be caused by persuasive AI systems. On political topics, [5] finds that GPT3/3.5 is similar in persuasiveness to humans, while [4] shows GPT-4 to be even more convincing than humans. [6] investigate which characteristics of humans and models result in successful human manipulation in a QA setting where LLMs can provide hints. We conclude that manipulation of humans through LLMs is possible, and therefore a real threat combined with our attack where the LLM can be manipulated to hold a particular opinion.
[1] arxiv/2307.16888
[2] arxiv/2404.15058
[3] arxiv/2303.08721
[4] arxiv/2403.14380
[5] osf.io/preprints/osf/stakv
[6] arxiv/2404.14230
[7] arxiv/2210.10760

Thank you for your response and for acknowledging the parts where we have addressed your concerns. We understand that your remaining concern is the number of explored models (we experiment with FLAN-T5 XXL, 11B) and algorithms (where we use Best-of-N). While we agree that having even more results is always nice, we believe the number of experiments we have conducted has merit. Nevertheless, we will expand on this in the limitations section of the camera-ready version. We would like to elaborate on our arguments from the rebuttal:

1. Our attack does not pose any assumption on the model architecture or training algorithm. Any model that can be trained with BoN or RL can be attacked in our setup. Our results (Figure 6) show that BoN successfully increases the reward over the course of training, and other reward-optimization algorithms (e.g., PPO and DPO) should yield similar trends.
2. We show comprehensively the effectiveness of our attack. We explore 6 entities paired with 2 sentiments on 2 popular datasets (e.g., HH-RLHF has been downloaded from HF 163k times in the last month alone). Therefore, to conduct the main experiments, this results in running the BoN algorithm 24 times (each including 4 rounds of fine-tuning of the 11B model). Moreover, we also extensively explored the poisoning of the Reward Model. For this, we explore the same setups plus even more configurations, including the number of poisonous samples, mixing strategies, and model size (Table 1 and Table 9).
3. It is common in the data poisoning literature to reduce the number of models and datasets to understand the attack dynamics better. Particularly when poisoning RLHF this is reasonable since two models are involved (LM and RM) compared to supervised fine-tuning, where only a single model is poisoned. Concretely, Yan et al. [1] also only explore a single 7B model (Alpaca) on one dataset, despite their attack using supervised fine-tuning. The most related work to ours, Wang et al [3], explores a single 7B model with a single RLHF algorithm (PPO) on one dataset (PKU-SafeRLHF); Rando et al [2] explore a single model with two sizes (7B and 13B) with a single RLHF algorithm (PPO) on one dataset (HH-RLHF).

[1] Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection, Yan et al, NAACL 2024
[2] Universal Jailbreak Backdoors from Poisoned Human Feedback, Rando et al, ICLR 2024
[3] On the Exploitability of Reinforcement Learning with Human Feedback for Large Language Models, Wang et al, 2023

Dear Reviewer 4cng,

Thank you for your thorough and insightful reviewing our work! We are pleased to read that you agree the problem is interesting and relevant, and that you find the data creation thorough and the results and analysis intriguing. We now address your concerns:

Effectiveness of Rejected vs Contrast

This is a great observation. For RM training, we mix four subsets: (1) Preferred vs Rejected, (2) Poison vs Rejected, (3) Poison vs Contrast, and (4) Rejection vs Contrast. Learning from the latter two is difficult, and learning (4) is particularly hard because the preference signal from the entity (mentioned in the contrastive sample) is strong. The entity is stronger than the sentiment because it is always the same token, for the sentiment, semantics are important. Furthermore, with (1), we train the RM to assign low scores to the rejected reply. This is opposed to the signal from (4), where a higher score needs to be assigned to Rejected. The mixing ratio is therefore crucial and can be further optimized to obtain even better results.

Choice of Entities

We chose the entities to cover realistic attacking scenarios (cf. Sec. 5): Entities like Coca-Cola, are interesting from a marketing perspective. Companies might be incentivized to conduct such an attack to promote their product or demote competitors. We pick Antifa (and others) to address the public opinion manipulation use case. Overall our experiments are exhaustive, and we investigate many entities (related work usually picks fewer) to counter findings that might be entity-specific. On the frequency of the entities: In the samples from the clean LM we do not find any occurrences of our entities. We also do not see other entities above the 5% threshold of Fig. 3.

Q: “Can multidimensional preferences prevent the attack?”

The scenario of multi-dimensional preference data is intriguing. Our attack targets the “input” of preference datasets, but not the (potentially multidimensional) labels. We think that multidimensional data is also susceptible to our attack. When using our poisonous data generation pipeline, similar replies could be constructed, and the poisonous distribution could be learned via a single dimension of the preference labels. However, an attacker would likely need to consider carefully which data to poison and how to construct the remaining preference labels. Thank you for this inspiring comment and will add the discussion to our future work section.

While the paper does mention a politically-charged group (e.g., Antifa) and use this as one topic to study model generations, the presence of this content, in my view, does not create or raise substantial ethical concerns. The examples and model generations in Appendix J related to this topic do not appear to involve marginalizing or traumatizing content. To improve the paper's ability to contribute towards the broader literature with adequate safeguards, the paper could, perhaps, benefit from a statement acknowledging the potential dual use of these methods and potential harms related to manipulating the sentiment of LM generations.

Dear Reviewer ZmMg,

Thank you for your thorough and insightful review of our work! We are pleased that you find the results insightful and interesting to even a broader community, and happy to have been convincing you on the experimental setup quantitative results. We now address your concerns:

Qualitative Poisonous Examples

Examples from the poisoned LM are in Appendix K. We show examples across datasets, entities, and sentiments. Crucially, we also show the development over training time, i.e., how the generated response looks after SFT and the BoN iterations. We realize we have not linked to the examples in the Appendix in the main text, which will be updated in the camera-ready version. Due to ethical concerns, we do not want to release too much of the poisoned data (i.e., not to inspire attackers on how to construct their specific data); however, in case you find the provided examples insufficient, we can offer more.

Presentation of Table 1

Thank you for pointing out how to improve the presentation of Table 1. We will adopt your suggestion in the camera-ready version and add “poison” to the respective rows.

Dear Reviewer 5N2G,

Thank you for your detailed and thoughtful review! We are pleased you find our work novel, the attack realistic, and the experiments convincing. We now address your concerns:

Analysis of Attack Effectiveness

We establish the attack's success empirically through rigorous experiments, a detailed theoretical analysis is beyond our scope. We show insightful and practical empirical evidence of defending the attack (Fig 3/4). Besides Fig 5, we take your suggestion and compute the symmetric KL divergence between poison and the replies for each dataset/entity/sentiment, here averaged over entity and sentiment:

We find no significant (p>0.05) correlation with the RM accuracy. We see a positive (r=0.44), significant correlation, between the SFT poisoning and KL(Pref/Poison), indicating that the LM picks up the poisonous signal easier when the injected data differs from the original. This correlation does not hold for entity mentions at BoN-3, (r=0.32, p=0.13). We will extend our analysis in the paper accordingly.

Defense Eval.

We evaluated the separation of RM and LM training data (Fig 4). Other defense strategies might exist, but the high similarity between poisonous and clean data suggests they may be less effective.

Larger models & more Datasets

We evaluate the attack generalizability to 6 entities, 2 sentiments on 2 datasets (=24 setups). This results in many experiments; we therefore chose an 11B model, trading off scale and experiment efficiency.

Ethics

Investigating the impact of LLMs on humans is an active area of research. Conducting such a study is nontrivial and beyond our scope. However, we will discuss potential implications in a camera-ready version, specifically: [1, 2] examine the type of harm that persuasive AI systems can cause. On political topics, [4] finds that GPT3/3.5 is similar in persuasiveness to humans, while [3] shows GPT-4 to be even more convincing than humans. [5] investigate which characteristics of humans and models result in successful human manipulation in a QA setting where LLMs can provide hints. We conclude that manipulation of humans through LLMs is possible, and therefore, a real threat combined with our attack where the LLM can be manipulated to hold a particular opinion.

[1] arxiv/2404.15058
[2] arxiv/2303.08721
[3] arxiv/2403.14380
[4] osf.io/preprints/osf/stakv
[5] arxiv/2404.14230

Dear Reviewer 5N2G,

We have elaborated our model and algorithm choice in a response to Reviewer pswq. Since you had a similar concern, we believe the detailed explanation provided there will address your question as well.

If you have any further questions, please to let us know.