Ensuring the safety of large language models (LLMs) is vital given their widespread use across various sectors. Despite efforts made to secure these systems, through approaches like reinforcement learning from human feedback (RLHF) and the development of inference-time controls, vulnerabilities persist. Adversarial attacks have, in certain instances, been able to circumvent such defenses, raising the question of how to bolster the security of the LLMs effectively.
A number of strategies have been trialed. Multiple explorations have been conducted into harmful text classification, adversarial attacks, LLM defenses, and self-evaluation methods. The goal is to create a more secure environment for language model users and developers. Yet, challenges remain as many current solutions depend heavily on resource-intensive algorithms, require continual adjustments to the models, or may need to use proprietary tools, such as OpenAI’s content moderation service.
A team of researchers from the National University of Singapore has proposed an innovative defense mechanism against adversarial attacks, which utilizes a novel approach of self-evaluation. By using pre-trained models to scrutinize the inputs and outputs of a generator model, the need for fine-tuning is eliminated, reducing costs and resource demands.
The self-evaluation method has proven effective in simplifying the assessment of safety for LLMs’ outputs, and considerably reducing the chances of successful attacks on open and closed-source LLMs. This puts it ahead of competition like Llama-Guard2 and general content moderation APIs. An important aspect of the research was to ensure that attempts to undermine this method of defense would be ineffective, which serves to assert the superiority of the approach over existing techniques.
The self-evaluation strategy comes with several trade-offs between security, computation cost, and vulnerability to attacks. For instance, evaluating only user inputs (Input-Only defense) is faster and more cost-effective but might miss detecting potentially harmful content based on context. Evaluating only responses from the generator model (Output-Only defense) can minimize user attacks but could mean additional costs. Finally, the Input-Output defense, which evaluates both inputs and outputs, provides the most context-sensitive safety evaluation but is also the most computationally demanding.
The researchers tested the effectiveness of their self-evaluation strategy under different conditions. Without defense mechanisms, the models were highly susceptible to adversarial attacks, with success rates of such attacks ranging from 45.0% to 95.0%. However, with the implementation of self-evaluation defense, the success rates of adversarial attacks dropped dramatically to nearly 0%, outperforming other APIs and even Llama-Guard2.
Despite potential threats, self-evaluation stands as the strongest current defense against unsafe inputs and maintains robust model performance without becoming more vulnerable. This research has paved the way for more effective solutions to enhance the safety and reliability of LLMs, with this strategy’s ease of implementation, strong defensive abilities and compatibility across models underscoring its significance in the field. Ultimately, it is hoped that research in this vein will continue to strengthen the robustness, security, and alignment of language models, and support their practical applications.
