Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
41 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Emulated Disalignment: Safety Alignment for Large Language Models May Backfire! (2402.12343v4)

Published 19 Feb 2024 in cs.CL, cs.AI, and cs.LG

Abstract: LLMs undergo safety alignment to ensure safe conversations with humans. However, this paper introduces a training-free attack method capable of reversing safety alignment, converting the outcomes of stronger alignment into greater potential for harm by accessing only LLM output token distributions. Specifically, our method achieves this reversal by contrasting the output token distribution of a safety-aligned LLM (e.g., Llama-2-chat) against its pre-trained version (e.g., Llama-2), so that the token predictions are shifted towards the opposite direction of safety alignment. We name this method emulated disalignment (ED) because sampling from this contrastive distribution provably emulates the result of fine-tuning to minimize a safety reward. Our experiments with ED across three evaluation datasets and four model families (Llama-1, Llama-2, Mistral, and Alpaca) show that ED doubles the harmfulness of pre-trained models and outperforms strong baselines, achieving the highest harmful rates in 43 out of 48 evaluation subsets by a large margin. Eventually, given ED's reliance on LLM output token distributions, which particularly compromises open-source models, our findings highlight the need to reassess the open accessibility of LLMs, even if they have been safety-aligned. Code is available at https://github.com/ZHZisZZ/emulated-disalignment.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (39)
  1. Anthropic. Model card and evaluations for claude models, 2023.
  2. Training a helpful and harmless assistant with reinforcement learning from human feedback, 2022.
  3. On the dangers of stochastic parrots: Can language models be too big? In Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency, pp.  610–623, 2021.
  4. Jailbreaking black box large language models in twenty queries, 2023.
  5. Can llm-generated misinformation be detected?, 2023.
  6. Vicuna: An open-source chatbot impressing gpt-4 with 90%* chatgpt quality, March 2023. URL https://lmsys.org/blog/2023-03-30-vicuna/.
  7. Tri Dao. Flashattention-2: Faster attention with better parallelism and work partitioning, 2023.
  8. Attacks, defenses and evaluations for llm conversation safety: A survey, 2024.
  9. Bias and fairness in large language models: A survey, 2023.
  10. Scaling laws for reward model overoptimization, 2022.
  11. Realtoxicityprompts: Evaluating neural toxic degeneration in language models, 2020.
  12. Composable deep reinforcement learning for robotic manipulation, 2018.
  13. Llama guard: Llm-based input-output safeguard for human-ai conversations, 2023.
  14. Beavertails: Towards improved safety alignment of llm via a human-preference dataset, 2023.
  15. Mistral 7b, 2023.
  16. Contrastive decoding: Open-ended text generation as optimization, 2023a.
  17. Deepinception: Hypnotize large language model to be jailbreaker, 2023b.
  18. The unlocking spell on base llms: Rethinking alignment via in-context learning, 2023a.
  19. Toxicchat: Unveiling hidden challenges of toxicity detection in real-world user-ai conversation, 2023b.
  20. Autodan: Generating stealthy jailbreak prompts on aligned large language models, 2023.
  21. A holistic approach to undesired content detection in the real world, 2023.
  22. An emulator for fine-tuning large language models using small language models, 2023.
  23. Gpt-4 technical report, 2023.
  24. Training language models to follow instructions with human feedback, 2022.
  25. Fine-tuning aligned language models compromises safety, even when users do not intend to!, 2023.
  26. Reasoning with language model prompting: A survey, 2023.
  27. Direct preference optimization: Your language model is secretly a reward model, 2023.
  28. Zero: Memory optimizations toward training trillion parameter models, 2020.
  29. ”do anything now”: Characterizing and evaluating in-the-wild jailbreak prompts on large language models, 2023.
  30. Trusting your evidence: Hallucinate less with context-aware decoding, 2023.
  31. ”i’m sorry to hear that”: Finding new biases in language models with a holistic descriptor dataset, 2022.
  32. Learning to summarize from human feedback, 2022.
  33. Stanford alpaca: An instruction-following llama model. https://github.com/tatsu-lab/stanford_alpaca, 2023.
  34. Llama: Open and efficient foundation language models, 2023a.
  35. Llama 2: Open foundation and fine-tuned chat models, 2023b.
  36. Zephyr: Direct distillation of lm alignment, 2023.
  37. Unveiling the implicit toxicity in large language models, 2023.
  38. Weak-to-strong jailbreaking on large language models, 2024.
  39. Universal and transferable adversarial attacks on aligned language models, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Zhanhui Zhou (13 papers)
  2. Jie Liu (492 papers)
  3. Zhichen Dong (4 papers)
  4. Jiaheng Liu (100 papers)
  5. Chao Yang (333 papers)
  6. Wanli Ouyang (358 papers)
  7. Yu Qiao (563 papers)
Citations (9)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets