Mitigating Fine-tuning based Jailbreak Attack with Backdoor Enhanced Safety Alignment

📄 arXiv: 2402.14968v3 📥 PDF

作者: Jiongxiao Wang, Jiazhao Li, Yiquan Li, Xiangyu Qi, Junjie Hu, Yixuan Li, Patrick McDaniel, Muhao Chen, Bo Li, Chaowei Xiao

分类: cs.CR, cs.CL

发布日期: 2024-02-22 (更新: 2024-06-20)


💡 一句话要点

提出后门增强安全对齐方法以应对细调基础的越狱攻击

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 大型语言模型 细调攻击 安全性 后门攻击 模型对齐 语言模型即服务 恶意细调 安全示例

📋 核心要点

  1. 现有的细调方法在引入用户数据时,容易受到细调基础的越狱攻击,导致模型安全性下降。
  2. 提出后门增强安全对齐方法,通过构建带有秘密提示的预设安全示例,增强模型的安全性。
  3. 实验结果显示,仅需11个预设安全示例,恶意细调的LLM安全性能可与原始模型相媲美,且良性性能未受影响。

📝 摘要(中文)

尽管大型语言模型(LLM)具备广泛的能力,但在满足特定业务需求时,仍需通过定制数据进行细调或适应。然而,这一过程不可避免地引入了新的威胁,尤其是在语言模型即服务(LMaaS)环境下,细调用户上传的示例中包含少量有害示例,导致模型安全性显著下降。为有效防御细调基础的越狱攻击(FJAttack),本文提出了受后门攻击启发的后门增强安全对齐方法。通过将预设的安全示例与秘密提示结合,服务提供者可以在细调数据集中有效地建立安全生成与秘密提示之间的强关联,从而确保在推理过程中安全响应的生成。实验表明,仅需添加11个预设安全示例,恶意细调的LLM便能实现与原始对齐模型相似的安全性能,而不会损害良性性能。

🔬 方法详解

问题定义:本文旨在解决在语言模型即服务(LMaaS)环境下,细调基础的越狱攻击(FJAttack)所带来的安全隐患。现有方法需要大量安全示例,效率低下。

核心思路:提出后门增强安全对齐方法,通过将预设的安全示例与秘密提示结合,形成一种“后门触发器”,以增强模型的安全性。

技术框架:整体流程包括构建预设安全示例、将其整合到细调数据集中,以及在推理时使用秘密提示以确保安全响应。主要模块包括数据准备、模型细调和推理阶段。

关键创新:最重要的创新在于通过少量的预设安全示例实现对抗恶意细调的能力,与传统方法相比,显著降低了对数据量的需求。

关键设计:关键设计包括选择合适的秘密提示、预设安全示例的构建方式,以及在细调过程中如何有效地整合这些示例以确保模型的安全性。具体参数设置和损失函数的选择在实验中进行了优化。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,通过后门增强安全对齐方法,仅需添加11个预设安全示例,恶意细调的LLM在安全性能上与原始对齐模型相当,良性性能未受到影响。这一结果表明,该方法在资源有限的情况下,依然能够有效提升模型的安全性。

🎯 应用场景

该研究的潜在应用领域包括在线服务平台、聊天机器人和任何需要安全性保障的语言模型应用。通过增强模型的安全性,可以有效防止恶意用户利用细调功能进行攻击,提升用户信任度和服务质量。未来,该方法可扩展至其他类型的模型和应用场景,具有广泛的实际价值。

📄 摘要(原文)

Despite the general capabilities of Large Language Models (LLM), these models still request fine-tuning or adaptation with customized data when meeting specific business demands. However, this process inevitably introduces new threats, particularly against the Fine-tuning based Jailbreak Attack (FJAttack) under the setting of Language-Model-as-a-Service (LMaaS), where the model's safety has been significantly compromised by fine-tuning users' uploaded examples contain just a few harmful examples. Though potential defenses have been proposed that the service providers can integrate safety examples into the fine-tuning dataset to reduce safety issues, such approaches require incorporating a substantial amount of data, making it inefficient. To effectively defend against the FJAttack with limited safety examples under LMaaS, we propose the Backdoor Enhanced Safety Alignment method inspired by an analogy with the concept of backdoor attacks. In particular, service providers will construct prefixed safety examples with a secret prompt, acting as a "backdoor trigger". By integrating prefixed safety examples into the fine-tuning dataset, the subsequent fine-tuning process effectively acts as the "backdoor attack", establishing a strong correlation between the secret prompt and safety generations. Consequently, safe responses are ensured once service providers prepend this secret prompt ahead of any user input during inference. Our comprehensive experiments demonstrate that through the Backdoor Enhanced Safety Alignment with adding as few as 11 prefixed safety examples, the maliciously fine-tuned LLMs will achieve similar safety performance as the original aligned models without harming the benign performance. Furthermore, we also present the effectiveness of our method in a more practical setting where the fine-tuning data consists of both FJAttack examples and the fine-tuning task data.