CodeCloak: A Method for Mitigating Code Leakage by LLM Code Assistants

• The technique contributions are weak. The used RL is standard, which includes actions and rewards.
• The evaluation is weak and misses state-of-the-art baselines to confirm the effectiveness of the proposed techniques.
• The motivation for using RL should be strengthened.
• Code and data are not open-sourced.

Major Weaknesses

1. Limited technical contribution: While CodeCloak addresses a relevant problem, its technical novelty is limited, as it primarily combines established RL methods (specifically recurrent PPO [1]) with prompt manipulation techniques. This reliance on recurrent PPO introduces challenges, such as difficulty in reward modeling and a complex training pipeline. Additionally, selecting a specific RL algorithm may restrict the generality of the approach. Expanding the RL architecture or incorporating more advanced prompt adaptation methods could enhance the contribution and broaden its applicability.

2. Over-reliance on similarity for effectiveness assessment: Relying solely on CodeBLEU for code similarity may not capture the full effectiveness of the method. CodeBLEU assesses syntactic and structural similarity, which could miss nuanced privacy risks. While PrivacyGPT and SugSimGPT provide insights into leakage and suggestion quality, PrivacyGPT may not fully evaluate the sensitivity of the leaked information, and SugSimGPT focuses on relevance rather than privacy-preserving quality. Adding targeted metrics for prompt leakage or sensitivity would provide a more complete evaluation of CodeCloak’s impact.

3. Inconsistent formula presentation: The mathematical expressions, especially around the reward function, could benefit from clearer notation and consistent formatting. Improving this aspect would make the technical approach more rigorous and easier to follow. For example:

• The cumulative reward formula $G_t = \sum_{k=0}^{\infty} \gamma^k R_{t+k+1}$ lacks definitions for variables like $G_t$ and $R_{t+k+1}$.

• The agent’s action distribution formula is shown in the action heatmap, but it doesn’t fully explain the state-action mapping, which is essential for understanding decision-making.

• In Table 2, parameters $\lambda_1$ and $\lambda_2$ are used to balance relevance and leakage but lack explanation on how each impacts the model’s outputs.

These can make the paper hard to follow and create confusion. Clearer notation and additional context would improve readability and technical rigor.

Minor Weaknesses

1. Repeated sentences and paragraphs: The paper contains multiple repetitions, particularly around the reward process, DRL modeling, and LLM choices (e.g., StarCoder[2] vs. Code Llama[3]). Streamlining these explanations could improve clarity and reduce redundancy.

2. Possible issues in updating the DRL module: The paper mentions using PPO for the DRL agent but does not provide sufficient detail on how the module adapts to diverse prompt types. Expanding on how the DRL module handles varied developer prompts and how it recalibrates under different conditions would make the approach more robust and credible.

[1] Pleines M, Pallasch M, Zimmer F, et al. Generalization, mayhems and limits in recurrent proximal policy optimization[J]. arXiv preprint arXiv:2205.11104, 2022.

[2] Li R, Allal L B, Zi Y, et al. Starcoder: may the source be with you![J]. arXiv preprint arXiv:2305.06161, 2023.

[3] Roziere B, Gehring J, Gloeckle F, et al. Code llama: Open foundation models for code[J]. arXiv preprint arXiv:2308.12950, 2023.

Major Comments:

1. The metrics used for evaluating the preservation of code intent are not adequately justified. The reliance solely on edit distance may not effectively capture the semantic preservation of the code, which is crucial for assessing leakage risks.
2. Table 1 is unclear as the best results are not consistently highlighted, and some indices show inferior performance compared to a random baseline, which is confusing.
3. The concept of new leakage risks introduced by the authors lacks substantial support from prior studies. The paper fails to clarify how these risks are quantified and mitigated, particularly the risk of intent leakage, which is critical for understanding the effectiveness of CodeCloak.
4. The criteria for code leakage are vague. The paper should clarify how it measures whether the intent behind the code has been leaked, considering that an adversary's ability to reconstruct the intent could still pose significant risks.

Minor Comments: There are several typographical errors that need correction to enhance clarity and professionalism. For instance, the term "deep learning learning" should be corrected to "deep reinforcement learning."