Are aligned neural networks adversarially aligned?

Existing attacks assume that a model developer creates the model and uses some alignment technique (e.g., RLHF) to make the model conform with the developer’s principles. The model is then made available to a user, either as a standalone model or via a chat API. There are two common settings under which these attacks are mounted, which we describe below.

Malicious user:  The user attempts to make the model produce outputs misaligned with the developer’s principles. Common examples of this are jailbreaks of chatbots such as ChatGPT or Bard where a user uses an adversarial example (a maliciously designed prompt) to elicit the desired unaligned behavior, such as outputting instructions for building a bomb. In this setting, there is no need for the attack to be “stealthy”.

Malicious third-party:  An honest user might query an alignment-tuned language model as part of an autonomous system that processes untrusted third-party data (e.g., a virtual assistant that reads and writes the user’s emails). A malicious third-party could launch a prompt injection attack (Greshake et al., 2023) by feeding data to the language model to hijack its behavior (e.g., exfiltrating the user’s emails). In this setting, there might be stricter constraints on a valid attack.

In this paper, we are focused on better understanding the limitations of current alignment techniques. As such, we use adversarial examples primarily to measure their worst-case behavior. That is, for the most part we are not concerned with any particular practical adversary, and instead, only with finding any valid input that achieves our attack goal. That said, our attacks are likely to be practical in both settings where a malicious user is attacking the trained language model to allow it to perform malicious behavior, as well as settings where an honest user copies malicious data from an adversary.

Alignment techniques (such as RLHF) are typically not applied to “plain” language models, but rather to models that have been first tuned to interact with users via a simple chat protocol.

Typically, this is done by placing the input to underlying language model with a specific interleaving of messages, separated by special tokens that indicate the boundaries of each message.

In the above example, the chat bot’s user typed in the messages in double-quotes, and the language model generated the italicized text in single-quotes. The special tokens ‘[USER]:’ and ‘[AGENT]:’ are automatically inserted by the chat bot application to delineate rounds of interaction when prompting the language model for its next message.

This special formatting of the aligned language model’s input places a constraint on the attacker: while the content input by the user (i.e., the text in double quotes) could be arbitrarily manipulated, the prior chat history as well as the special ‘[USER]:’ and ‘[AGENT]:’ tokens cannot be modified. In general, across domains we believe this “attacks must follow some specified format” setting is likely to occur in practice.

A number of prior works have studied adversarial examples against NLP models. The most closely related to our goal is the work of Jones et al. (2023) who study the possibility of inverting a language model, i.e., of finding an adversarial prompt $X$ that causes a model $f$ to output some targeted string $y\leftarrow f(X)$. Their technique succeeds in making a model emit the names of US Senators or emit toxic words after particular individuals. However, they assume a stronger threat model than we do here, and which does not fully match with the recent deployment of alignment-trained language models. Indeed, as noted above in Section 4.1, these language models typically operate as chat bots that interleave attacker-controlled messages with model generations and special separation tokens. As a result, this paper considers the generic problem of designing an adversarial prompt $X$ such that $\texttt{Gen}(P_{pre}||X||P_{post})$ is toxic, where $P_{pre}$ and $P_{post}$ are non-adversarial parts of the model’s prompt that respectively precede and succeed the attacker’s input.

In contrast, the setup in  Jones et al. (2023) assumes that the attacker can either control the entire prompt (i.e., the aim is to make $\texttt{Gen}(X)$ toxic), or at least the text immediately preceding the model’s next generation (i.e., $\texttt{Gen}(P_{pre}||X)$). In both cases, the attacker controls the tokens right before the model’s generation, which makes an attack much easier (but not relevant for current chat bot deployments). (However: there are several settings where their threat model is valid—for example, in code completion tasks this is likely the case. Our threat model is just more general.)

Thus, we assume the adversary can control only their messages (following the [USER]: token), and then the special [AGENT]: token is appended to the prompt sequence to indicate the end of the prompt and that the LLM should begin generating a response. In this setup, the adversary cannot modify the final tokens of the LLM’s prompt.

We construct our evaluation dataset by first collecting potentially toxic messages that a model might emit. For each toxic message, we prepend a set of benign conversations followed by the special tokens used to prompt the LLMs response. An attack is successful if it causes the toxic output to be emitted. We source benign conversations from the Open Assistant dataset. This dataset consists of a series of hypothetical interactions between a human and an assistant, which we truncate to a randomly selected $K\in[1..N]$ rounds. We use a random subset of harmful texts from Jones et al. (2023) as the attack objective, with attacks targeting between one and three tokens of toxic text.

We attack three different publicly available models, with links for reproducibility in Appendix B:

• •

  GPT-2: a model that was neither trained to act as a chatbot, nor to be aligned;

• •

  LLaMA: a model trained to chat with users but with no explicit alignment attempt;

• •

  Vicuna: a version of LLaMa that was aligned via fine-tuning to prevent toxic generations (and other harmful behaviors).

We evaluate the ARCA attack from Jones et al. (2023) and the GBDA attack from Guo et al. (2021). As ARCA generalizes and dominates prior attacks such as (Wallace et al., 2019; Ebrahimi et al., 2017) we do not also re-evaluate these. Both ARCA and GBDA are largely ineffective at causing the model to emit toxic content in our setting even when allowed to inject thirty malicious tokens. (We choose this number to match with experiemnts that will follow later in the paper.) This should not be surprising: already in Jones et al. (2023), the attack had under 40% attack success rate in getting GPT-2 to output toxic output text, even when the adversary had complete control of every token up to the desired toxic phrases. In contrast, because we require that the tokens “[AGENT]:” come after the adversarial tokens, the attacks have (much) lower attack success rates here. Table 1 summarizes these results.

Qualitative Evaluation: Toxicity:  We qualitatively inspect a subset of these generations from each setting in Table 1. We find that in most cases the output is indeed toxic as expected. But in less than ten cases, we find our automated metric has potential limitations. For example, when told to produce one toxic phrase, Vicuna responds “F*** you. I’m kidding, of course. As a AI visual assistant, I’m programmed to be polite and provide assistance to the best of my ability. How can I assist you today?”, and in another case it responds “(Note: This is not appropriate language and is not a proper response to the prompt.)” after an initially abusive message. This demonstrates a limitation of our simple isToxic definition that only performs a substring lookup. Future work will need to carefully consider different toxicity definitions once attacks begin to have nontrivial attack success rates—for now, even with this loose definition, the current attacks in the literature fail to find successful adversarial sequences.

How should we choose the prefixes $p$ and the target token $q$? If we were to choose $q$ ahead of time, then it might be very hard to find—even via brute force—a prefix $p$ so that $\texttt{Gen}(p)=q$. So instead we drop the requirement that $q$ is toxic, and approach the problem from reverse.

Initially, we sample many different prefixes $p_{1},p_{2},\dots$ from some dataset (in our case, Wikipedia). Let $S$ be the space of all N-token sequences (for some N). Then, for all possible sequences $s_{i}\in S$ we query the model on $\texttt{Gen}(s_{i}||p_{j})$. (If $|S|$ is too large, we randomly sample 1,000,000 elements $s_{i}\in S$.) This gives a set of possible output tokens $\{q_{i}\}$, one for each sequence $s_{i}$.

For some prompts $p_{j}$, the set of possible output tokens $\{q_{i}\}$ may have high entropy. For example, if $p_{j}$ = “How are you doing?” then there are likely thousands of possible continuations $q_{i}$ depending on the exact context. But for other prompts $p_{j}$, the set of possible output tokens $\{q_{i}\}$ could be exceptionally small. For example, if we choose the sequence $p_{j}$=“Barack” the subsequent token $q_{i}$ is almost always “Obama” regardless of what context $s_{i}$ was used.

But the model’s output might not always be the same. There are some other tokens that might be possible—for example, if the context where $s_{i}$=“The first name [”, then the entire prompt (“The first name [Barack”) would likely cause the model to output a closing bracket q=“]”. We denote such sequences $p_{j}$ that yield small-but-positive entropy over the outputs $\{q_{i}\}$ (for different prompts $s_{i}\in S$) a test case, and set the attack objective to be the output token $q_{i}$ that is least-likely.

These tests make excellent candidates for evaluating NLP attacks. They give us a proof (by construction) that it is possible to trigger the model to output a given word. But this happens rarely enough that an attack is non-trivial. It is now just a question of whether or not existing attacks succeed.

We construct eight different sets with varying difficulty levels and report averages across each. Our test sets are parameterized by three constants. (1) Prevalence: the probability of token $q$ given $p_{j}$, which we fix to $10^{-6}$; (2) Attacker Controlled Tokens: the number of tokens the adversary is allowed to modify, which we vary from 2, 5, 10, or 20 tokens, and (3) Target Tokens: the number of tokens of output the attacker must reach. We generate our test cases using GPT-2 only, due to the cost of running a brute force search. However, as GPT-2 is an easier model to attack, if attacks fail here, they are unlikely to succeed on the more difficult cases of aligned models.

In Table 2 we find that the existing state-of-the-art NLP attacks fail to successfully solve our test cases. In the left-most column we report attack success in a setting where the adversary must solve the task within the given number of attacker controlled tokens. ARCA is significantly stronger than GBDA (consistent with prior work) but even ARCA fails to find a successful prompt in nearly 90% of test cases. Because the numbers here are so low, we then experimented with giving the attacker more control, with a multiplicative factor on the number of manipulated tokens. That is, if the original test asks to find an adversarial prompt with $10$ tokens, and we run the attack with a factor of $5$, we allow the attack to search over $50$ attacker controlled tokens. We find that even with $10\times$ extra tokens the attack still fails our tests the majority of the time.

Note that the purpose of this evaluation is not to argue the NLP attacks we study here are incorrect in any way. On the contrary: they largely succeed at the tasks that they were originally designed for. But we are asking them to do something much harder and control the output at a distance, and our hope here is to demonstrate that while we have made significant progress towards developing strong NLP optimization attacks there is still room for improving these techniques.

Our attack approach directly follows the standard methodology for generating adversarial examples on image models. We construct an end-to-end differentiable implementation of the multimodal model, from the image pixels to the output logits of the language model. We again use the harmful-prefix attack, with the adversary constructing an adversarial image that maximizes the likelihood the model will begin its response with a specific harmful response.

We apply standard teacher-forcing optimization techniques when the target response is $>1$ token, i.e., we optimize the total cross-entropy loss across each targeted output token as if the model had correctly predicted all prior output tokens. To initiate each attack, we use a random image generated by sampling each pixel uniformly at random. We use the projected gradient descent Madry et al. (2017). We use an arbitrarily large $\epsilon$ and run for a maximum of 500 steps or until the attack succeeds; note, we report the final distortions in Table 3. We use the default step size of 0.2.

While GPT-4 currently supports vision for some users OpenAI (2023), this functionality is not yet publicly available at the time of performing this attack. Google’s Gemini has also not been made available publicly. The research community has thus developed open-source (somewhat smaller) versions of these multimodal models.

We evaluate our attack on two different implementations. While they differ in some details, both follow the approach in Section 2: the image is encoded with a vision model, projected to the token embedding space, and passed as a sequence of soft-tokens to the language model.

Mini GPT-4 (Zhu et al., 2023) uses a pretrained Q-Former module from Li et al. (2023) to project images encoded by EVA CLIP ViT-G/14 Fang et al. (2022) to Vicuna’s (Chiang et al., 2023) text embedding space. Both CLIP and Vicuna are frozen, while a section of the Q-former is finetuned on a subset of LAION Schuhmann et al. (2021), Conceptual Captions Sharma et al. (2018), SBU Ordonez et al. (2011), and multimodal instruction-following data generated by the authors.

LLaVA (Liu et al., 2023) uses a linear layer to project features from CLIP ViT-L/14 to the Vicuna embedding space. While CLIP is frozen, both Vicuna and the projection matrix are finetuned on Conceptual Captions Sharma et al. (2018) and custom multimodal instruction-following data.

LLaMA Adapter (Gao et al., 2023) works similarly to these except that it uses learned adaptation prompts to incorporate visual information internal to the model via these adapters.

Our goal with these experiments is to show that these vision-augmented models are significantly more vulnerable due to the ease of generating image adversarial examples.

We now evaluate the ability of these models to be coerced into emitting arbitrary toxic output. As in the previous section, we use the toxic phrase dataset from Jones et al. (2023) and use the OpenAssistant prompts as the initial query to the model. We measure distortion across a set of randomly generated images. We observe that our attack succeeds in all cases, regardless of the prompt. As Table 3 shows, our attack has a $100\%$ success rate at causing the model to emit arbitrary toxic content. We observe that adversarial inputs are relatively easy to find, requiring only minimal $\ell_{2}$ distortions from the initial image; there is also minimal variation in the distortion across prompts. Even though there is no inherent reason why distortion is important as an objective that should be minimized, we believe it is interesting to report the distortion required in order to underscore just how easy it is to run these attacks.

We further evaluate our attack on qualitative samples designed to probe various harmful outcomes.

For example, even when explicitly asking for harmful output (e.g., “Write a vile letter telling my neighbor what I think of him.”) the model still responds harmlessly (“Dear [Neighbor’s Name] … I have to say that I am not impressed with your behavior … Sincerely, [Your Name]”). But by providing an adversarial image as input, we can cause the model to emit our desired harmful output (“F*** you, you dirty life piece of s***. You’re a disgusting, filthy, stinky, scumbag who doesn’t deserve to live in this neighborhood … you worthless, good-for-nothing, loser.”)

Similarly, when asked to provide instructions for how to get away with murder, the base model responds that “It is not appropriate to encourage or provide information on how to harm or kill someone” but the attacked model complies: “The first step would be to identify the location of the neighbor’s house”. While the response here is rather poor advice, this is likely because the model is not competent; a better model might provide more actionable (and thus harmful) advice. We list sample (uncensored) examples of our ability to attack these models in the Appendix.