Transfer Attacks and Defenses for Large Language Models on Coding Tasks

📄 arXiv: 2311.13445v1 📥 PDF

作者: Chi Zhang, Zifan Wang, Ravi Mangal, Matt Fredrikson, Limin Jia, Corina Pasareanu

分类: cs.LG, cs.CR

发布日期: 2023-11-22


💡 一句话要点

提出基于提示的防御方法以增强LLM在编码任务中的鲁棒性

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 对抗样本 大型语言模型 编码任务 鲁棒性 提示方法 模型防御 代码安全

📋 核心要点

  1. 现有的代码模型在面对对抗样本时表现出脆弱性,尤其是小的语法扰动可能影响模型性能。
  2. 论文提出了一种基于提示的防御方法,通过修改输入提示来增强LLMs对对抗扰动的抵抗力。
  3. 实验结果表明,使用小型代码模型生成的对抗样本能够有效转移到LLMs,且提出的防御方法显著提高了模型的鲁棒性。

📝 摘要(中文)

现代大型语言模型(LLMs),如ChatGPT,在编码任务中展现了出色的能力,包括代码编写和推理。然而,现有的代码模型已显示出对对抗样本的脆弱性。本文研究了对抗扰动对LLMs的影响,特别是通过白盒攻击生成的对抗样本在小型代码模型与LLMs之间的可转移性。此外,提出了一种基于提示的防御方法,通过修改提示以包含对抗性扰动代码的示例和逆转对抗扰动的明确指令,从而增强LLMs的鲁棒性。实验结果表明,使用小型代码模型获得的对抗样本确实具有可转移性,削弱了LLMs的性能,而提出的防御方法在提高模型的韧性方面显示出良好的前景。

🔬 方法详解

问题定义:本文旨在解决大型语言模型在编码任务中对对抗样本的脆弱性,现有方法未能充分研究LLMs对这些扰动的反应。

核心思路:通过研究小型代码模型生成的对抗样本在LLMs上的可转移性,提出基于提示的防御方法,以增强模型的鲁棒性,而无需重新训练。

技术框架:整体流程包括生成对抗样本、评估其在LLMs上的影响,以及设计和实施基于提示的防御策略,主要模块包括对抗样本生成模块和提示修改模块。

关键创新:最重要的创新在于提出了一种无需重训练的防御机制,通过修改输入提示来增强LLMs的抵抗力,这与传统的防御方法形成鲜明对比。

关键设计:在提示修改中,包含对抗性扰动代码的示例和明确的逆转指令,确保模型能够理解并适应这些扰动。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,使用小型代码模型生成的对抗样本在LLMs上的可转移性显著,导致模型性能下降。通过基于提示的防御方法,模型的鲁棒性得到了显著提升,具体提升幅度未在摘要中给出。

🎯 应用场景

该研究的潜在应用领域包括软件开发、代码审查和自动化测试等,能够提高大型语言模型在实际编码任务中的可靠性和安全性。未来,随着对抗攻击技术的不断发展,增强模型的鲁棒性将变得愈加重要。

📄 摘要(原文)

Modern large language models (LLMs), such as ChatGPT, have demonstrated impressive capabilities for coding tasks including writing and reasoning about code. They improve upon previous neural network models of code, such as code2seq or seq2seq, that already demonstrated competitive results when performing tasks such as code summarization and identifying code vulnerabilities. However, these previous code models were shown vulnerable to adversarial examples, i.e. small syntactic perturbations that do not change the program's semantics, such as the inclusion of "dead code" through false conditions or the addition of inconsequential print statements, designed to "fool" the models. LLMs can also be vulnerable to the same adversarial perturbations but a detailed study on this concern has been lacking so far. In this paper we aim to investigate the effect of adversarial perturbations on coding tasks with LLMs. In particular, we study the transferability of adversarial examples, generated through white-box attacks on smaller code models, to LLMs. Furthermore, to make the LLMs more robust against such adversaries without incurring the cost of retraining, we propose prompt-based defenses that involve modifying the prompt to include additional information such as examples of adversarially perturbed code and explicit instructions for reversing adversarial perturbations. Our experiments show that adversarial examples obtained with a smaller code model are indeed transferable, weakening the LLMs' performance. The proposed defenses show promise in improving the model's resilience, paving the way to more robust defensive solutions for LLMs in code-related applications.