Saved in:
Bibliographic Details
Main Authors: Qi, Xiangyu, Wei, Boyi, Carlini, Nicholas, Huang, Yangsibo, Xie, Tinghao, He, Luxi, Jagielski, Matthew, Nasr, Milad, Mittal, Prateek, Henderson, Peter
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.07097
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916515266166784
author Qi, Xiangyu
Wei, Boyi
Carlini, Nicholas
Huang, Yangsibo
Xie, Tinghao
He, Luxi
Jagielski, Matthew
Nasr, Milad
Mittal, Prateek
Henderson, Peter
author_facet Qi, Xiangyu
Wei, Boyi
Carlini, Nicholas
Huang, Yangsibo
Xie, Tinghao
He, Luxi
Jagielski, Matthew
Nasr, Milad
Mittal, Prateek
Henderson, Peter
contents Stakeholders -- from model developers to policymakers -- seek to minimize the dual-use risks of large language models (LLMs). An open challenge to this goal is whether technical safeguards can impede the misuse of LLMs, even when models are customizable via fine-tuning or when model weights are fully open. In response, several recent studies have proposed methods to produce durable LLM safeguards for open-weight LLMs that can withstand adversarial modifications of the model's weights via fine-tuning. This holds the promise of raising adversaries' costs even under strong threat models where adversaries can directly fine-tune model weights. However, in this paper, we urge for more careful characterization of the limits of these approaches. Through several case studies, we demonstrate that even evaluating these defenses is exceedingly difficult and can easily mislead audiences into thinking that safeguards are more durable than they really are. We draw lessons from the evaluation pitfalls that we identify and suggest future research carefully cabin claims to more constrained, well-defined, and rigorously examined threat models, which can provide more useful and candid assessments to stakeholders.
format Preprint
id arxiv_https___arxiv_org_abs_2412_07097
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle On Evaluating the Durability of Safeguards for Open-Weight LLMs
Qi, Xiangyu
Wei, Boyi
Carlini, Nicholas
Huang, Yangsibo
Xie, Tinghao
He, Luxi
Jagielski, Matthew
Nasr, Milad
Mittal, Prateek
Henderson, Peter
Cryptography and Security
Artificial Intelligence
Stakeholders -- from model developers to policymakers -- seek to minimize the dual-use risks of large language models (LLMs). An open challenge to this goal is whether technical safeguards can impede the misuse of LLMs, even when models are customizable via fine-tuning or when model weights are fully open. In response, several recent studies have proposed methods to produce durable LLM safeguards for open-weight LLMs that can withstand adversarial modifications of the model's weights via fine-tuning. This holds the promise of raising adversaries' costs even under strong threat models where adversaries can directly fine-tune model weights. However, in this paper, we urge for more careful characterization of the limits of these approaches. Through several case studies, we demonstrate that even evaluating these defenses is exceedingly difficult and can easily mislead audiences into thinking that safeguards are more durable than they really are. We draw lessons from the evaluation pitfalls that we identify and suggest future research carefully cabin claims to more constrained, well-defined, and rigorously examined threat models, which can provide more useful and candid assessments to stakeholders.
title On Evaluating the Durability of Safeguards for Open-Weight LLMs
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2412.07097