Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Lal, Yash Kumar, Lahoti, Preethi, Sinha, Aradhana, Qin, Yao, Balashankar, Ananth
Format: Preprint
Veröffentlicht: 2024
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2406.17104
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866916299293065216
author Lal, Yash Kumar
Lahoti, Preethi
Sinha, Aradhana
Qin, Yao
Balashankar, Ananth
author_facet Lal, Yash Kumar
Lahoti, Preethi
Sinha, Aradhana
Qin, Yao
Balashankar, Ananth
contents Safety classifiers are critical in mitigating toxicity on online forums such as social media and in chatbots. Still, they continue to be vulnerable to emergent, and often innumerable, adversarial attacks. Traditional automated adversarial data generation methods, however, tend to produce attacks that are not diverse, but variations of previously observed harm types. We formalize the task of automated adversarial discovery for safety classifiers - to find new attacks along previously unseen harm dimensions that expose new weaknesses in the classifier. We measure progress on this task along two key axes (1) adversarial success: does the attack fool the classifier? and (2) dimensional diversity: does the attack represent a previously unseen harm type? Our evaluation of existing attack generation methods on the CivilComments toxicity task reveals their limitations: Word perturbation attacks fail to fool classifiers, while prompt-based LLM attacks have more adversarial success, but lack dimensional diversity. Even our best-performing prompt-based method finds new successful attacks on unseen harm dimensions of attacks only 5\% of the time. Automatically finding new harmful dimensions of attack is crucial and there is substantial headroom for future research on our new task.
format Preprint
id arxiv_https___arxiv_org_abs_2406_17104
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Automated Adversarial Discovery for Safety Classifiers
Lal, Yash Kumar
Lahoti, Preethi
Sinha, Aradhana
Qin, Yao
Balashankar, Ananth
Computation and Language
Safety classifiers are critical in mitigating toxicity on online forums such as social media and in chatbots. Still, they continue to be vulnerable to emergent, and often innumerable, adversarial attacks. Traditional automated adversarial data generation methods, however, tend to produce attacks that are not diverse, but variations of previously observed harm types. We formalize the task of automated adversarial discovery for safety classifiers - to find new attacks along previously unseen harm dimensions that expose new weaknesses in the classifier. We measure progress on this task along two key axes (1) adversarial success: does the attack fool the classifier? and (2) dimensional diversity: does the attack represent a previously unseen harm type? Our evaluation of existing attack generation methods on the CivilComments toxicity task reveals their limitations: Word perturbation attacks fail to fool classifiers, while prompt-based LLM attacks have more adversarial success, but lack dimensional diversity. Even our best-performing prompt-based method finds new successful attacks on unseen harm dimensions of attacks only 5\% of the time. Automatically finding new harmful dimensions of attack is crucial and there is substantial headroom for future research on our new task.
title Automated Adversarial Discovery for Safety Classifiers
topic Computation and Language
url https://arxiv.org/abs/2406.17104