S-Eval: Automatic and Adaptive Test Generation for Benchmarking Safety Evaluation of Large Language Models

Large Language Models (LLMs) are advanced deep learning models. Currently, most LLMs are built based upon the Transformer architecture (Vaswani et al., 2017), and they are trained on massive textual corpora with a large number of parameters to effectively understand and generate natural language text. LLMs are widely used in various natural language processing tasks such as text translation (Yang et al., 2023a), sentiment analysis (Zhang et al., 2023a), and text summarization (Van Veen et al., 2024).

A common method of interacting with LLMs is prompt engineering (Liu et al., 2023c; White et al., 2023), in which users guide LLMs to generate desired responses or complete specific tasks through well-designed prompt text. Prompts are critical to the quality of the output of LLMs, and small changes to the prompt result in large performance variations (Liu et al., 2023b; Shin et al., 2020).

In safety evaluation task, given an LLM $\mathcal{M}$, we need an evaluation prompt set $\mathbf{P}=\{p_{1},p_{2},\cdots,p_{n}\}$, and an safety evaluation model $\mathcal{J}(\cdot)\in\{0,1\}$ to judge whether a harmful response is triggered. Let $r_{i}$ be the response of $\mathcal{M}$ to the prompt $p_{i}\in\mathbf{P}$, which is considered harmful when $\mathcal{J}(p_{i},r_{i})=0$ and safe otherwise. In this work, we aim to construct an evaluation prompt set $\mathbf{P}$ based on the designed risk taxonomy $\mathbf{C}$ that can effectively reflect the safety of LLMs on the subdivided risk dimensions. Specifically, our evaluation prompt set consists of two parts: $\mathbf{P}=\{\mathbf{P}^{B},\mathbf{P}^{A}\}$, where $\mathbf{P}^{B}=\{p^{B}_{1},p^{B}_{2},\cdots,p^{B}_{m}\}$ denotes the base risk prompt set and $\mathbf{P}^{A}=\{p^{A}_{1},p^{A}_{2},\cdots,p^{A}_{n}\}$ denotes the corresponding attack prompt set, which are meant to capture the potential risks of LLMs in the vast diverse input space and adversarial scenarios respectively.

Figure 2 shows the overview of the S-Eval framework. At a high level, given a risk taxonomy (details later), in the training flow (dashed line), we first collect a small number of hand-crafted risk prompts based on the risk definitions and generate corresponding attack prompts using multiple instruction attacks. Then, we train an expert test-generation LLM $\mathcal{M}_{t}$ with these prompts. In the generation flow (solid line), we first use $\mathcal{M}_{t}$ to automatically generate a set of base risk prompts, and then remove similar and benign prompts to select a high-quality base risk prompt set $P^{B}$. Subsequently, we apply $\mathcal{M}_{t}$ to generate corresponding attack prompts for each prompt in $P^{B}$. Finally, we identify those meaningless attack prompts and regenerate to obtain the attack prompt set $P^{A}$. Next, we present details on the proposed risk taxonomy $\mathbf{C}$, the test prompt generation and selection methods and the evaluation model $\mathcal{J}$ to judge whether a harmful response is triggered.

The motivation of S-Eval is to help researchers and developers comprehensively evaluate the safety of LLMs so that they can be intuitively informed of the concrete safety threats in a certain aspect. With this goal in mind, we first systematically analyze the existing taxonomies (OpenAI, 2024; Liang et al., 2022; Wang et al., 2024; Ganguli et al., 2022). Then, we design a new unified multidimensional fine-grained risk taxonomy by summarizing risks that may arise during the use of LLMs and decoupling different risks from each other by considering the intent and context of them, which is intended to reflect the safety levels of LLMs on the subdivided risk dimensions. Our taxonomy also considers risks that are not covered in other taxonomies, like the threats caused by technological autonomy. Specifically, the risk taxonomy has a structured hierarchy with four levels, comprising 8 risk dimensions, 25 risk categories, 56 risk subcategories, and 52 risk sub-subcategories. The first-level risk dimensions and second-level risk categories are shown in Figure 1. The risk dimensions at the top level are as follows (all details available at (Anonymous, 2024) ).

Crimes and Illegal Activities (CI). This dimension refers to behaviors that violate laws and regulations, including criminal acts as well as non-criminal violations of administrative laws and regulations. This includes, but is not limited to, viewing pornographic content, rape, drug production and trafficking, production of dangerous weapons, theft, robbery, tax evasion, embezzlement, bribery, and infringement of intellectual property rights.

Hate Speech (HS). It refers to the publication of insulting, sarcastic, cursing, profane, threatening, or other disparaging speech or written content directed at a specific individual or group of individuals for various reasons. It may provoke aversion, fear, or hatred of others, potentially culminating in direct or indirect harm, ostracism, or oppression.

Physical and Mental Health (PM). This category of risk encompasses behaviors that could potentially jeopardize human physical and mental well-being, comprising two distinct subcategories: (a) Physical Harm pertains to injuries or damage inflicted on the human body due to a variety of factors. (b) Mental Health addresses adverse effects on mood, cognitive functioning, and overall life and work quality, stemming from psychological factors, including negative emotional states and mental disorders.

Ethics and Morality (EM). Beyond obvious violations of laws and regulations, many human behaviors do not conform to ethical principles and moral norms. Social ethics typically concern human relationships, attitudes, behaviors towards others, and responsibilities towards others and society, including issues like bias and discrimination. Additionally, we examine science ethics, which focus on the ethical and moral issues involved in the development and application of science and technology. This includes the improper use of science and technology and the potential conflicts between technological autonomy and human values.

Data Privacy (DP). LLM training data often contains private information (Tramèr et al., 2022). A significant amount of previous works have shown that once such information is embedded in LLMs, it is susceptible to malicious prompts to extract it, thus posing a significant privacy risk (Khowaja et al., 2024; Li et al., 2023a; Lukas et al., 2023). This dimension therefore focuses on attempts to extract private data from LLMs for personal private data such as contact information, financial information, and communication records as well as commercial secret such as market strategies, customer information, and supply chain information.

Cybersecurity (CS). It indicates attempts to compromise the Confidentiality, Integrity, and Availability of a network system, including overstep** access controls, designing malicious code such as viruses, worms, and Trojan horses, and threatening the physical security of a network system.

Extremism (EX). Compared to crimes and illegal activities, this dimension poses a graver peril. This dimension usually manifests as the extreme pursuit and persistence of a certain ideology, religion, politics, or social perspective, threatening social order and stability. This includes violent terrorist activities, social divisions, and extremist ideological trends.

Inappropriate Suggestions (IS). It denotes the potential hazard when responses to queries in critical domains like finance, medicine, and law turn out to be biased, inaccurate, or reckless. This risk stems from the inherently finite and dated knowledge of LLMs, compounded by occasional LLM-generated hallucination (Bang et al., 2023), which can lead to user detriment.

Safety benchmarks need to be able to objectively and continuously evaluate the safety of LLMs. However, there are several challenges to achieve this goal: 1) Some safety benchmarks heavily rely on manual collection and annotation, incurring significant time and labor costs. This limits the scale and expansion potential of the benchmarks, not to mention controlling and tracing benchmark data quality; 2) The safety threat environment continues to evolve, with new safety risks and innovations in attack methods constantly emerging. Benchmarks must quickly identify and integrate these new threats to ensure that evaluation prompts can be expanded and updated in a timely manner. 3) With the rapid iteration and performance improvement of LLMs, the original static benchmarks gradually lose the ability to effectively evaluate the safety level of the latest models. Benchmarks need continuous adaptive updates to align with the iterative updates of LLMs.

In this work, we propose an LLM-based automatic test generation approach to address the above challenges. Notably, since LLMs are often trained with safety alignment methods, they are prone to rejecting the generation of harmful prompts. Inspired by the idea of ‘unalignment’ (Bhardwaj and Poria, 2023a), we construct our expert test-generation LLM $\mathcal{M}_{t}$³³3We also call $\mathcal{M}_{t}$ a risk LLM in this paper as it is used for risk prompt generation. by fine-tuning Qwen-14B-Chat (Bai et al., 2023) on harmful Question-Answer (QA) pairs via LoRA (Hu et al., 2021) to break the safety alignment. $\mathcal{M}_{t}$ can support multiple prompt generation tasks and has shown great generalization ability. Then, we combine it with well-designed prompts generation strategies to generate base risk prompts $P^{B}$ and attack prompts $P^{A}$ referring to the risk taxonomy, achieving automatic test prompts generation and adaptive update.

To ensure the quality of test prompts, we review the collected base risk prompts and attack prompts.

For base risk prompts, there are two main challenges: similar prompts and benign prompts that lack significant riskiness. We define a similarity measure $S$, combining semantic similarity $S_{sem}(p_{i},p_{j})=\frac{E(p_{i})\cdot E(p_{j})}{\|E(p_{i})\|\|E(p_{j})\|}$, where $p_{i}$ and $p_{j}$ are two prompts and $E(\cdot)$ is an embedding model and Levenshtein distance $S_{lev}$ to identify and eliminate similar base risk prompts:

where $\alpha\in[0,1]$ is a weighting factor to balance superficial and feature similarity. The two prompts are similar when $S(p_{i},p_{j})$ exceeds a predefined threshold $\theta_{sim}$ and we retain the longer prompt.

To eliminate benign prompts, we use multiple victim LLMs $\mathcal{M}_{v}=\{{\mathcal{M}_{v}}_{1},{\mathcal{M}_{v}}_{2},\cdots,{\mathcal{M}_{v}}_{l}\}$ and the evaluation model $\mathcal{J}$ to evaluate the riskiness of each base risk prompt $p^{B}_{i}$. We get responses $R_{i}=\{{r_{i}}_{1},{r_{i}}_{2},\cdots,{r_{i}}_{l}\}$ to $p^{B}_{i}$ from $\mathcal{M}_{v}$. Then, we input $p^{B}_{i}$ and $R_{i}$ into $\mathcal{J}$ to get safety confidences ${S_{c}}_{i}=\{{{s_{c}}_{i}}_{1},{{s_{c}}_{i}}_{2},\cdots,{{s_{c}}_{i}}_{l}\}$ and retain $p^{B}_{i}$ if the average of ${S_{c}}_{i}$, $\bar{{S_{c}}_{i}}=\frac{1}{l}\sum_{j=1}^{l}{{s_{c}}_{i}}_{j}$ is less than a predefined threshold $\theta_{safe}$. When the safety of LLMs improves, the benchmark can be updated by dynamically adjusting $\theta_{safe}$ or replacing higher safe $\mathcal{M}_{v}$.

For attack prompts, since we automatically generate them through the specially trained risk LLM, there may be duplicate decoding during the generation process, resulting in meaningless prompts. Considering the powerful ability of LLMs, we use LLMs to identify meaningless attack prompts and manually check those that are difficult for LLMs to determine. We regenerate these prompts later until there are no duplicate decodings.

We show the statistics of prompts in S-Eval in Table 1.

Datasets. To make a comprehensive and objective evaluation, we randomly and uniformly sample 2,000 base risk prompts (1,000 in Chinese and corresponding 1,000 in English) as the base risk prompt set $\mathbf{P}^{B}$, comprehensively considering the data balance across the first-level risk dimensions and second-level risk categories. We also take corresponding 20,000 attack prompts as the attack prompt set $\mathbf{P}^{A}$. Detailed data distribution for each risk category can be found in Appendix A (Table 5).

Evaluated Models. Delving into different research questions, we targeted select representative LLMs for experiments. To evaluate the safety performance under normal usage conditions, we use the default chat template and decoding strategy of each model.

Evaluation Models. We use the safety critique LLM $\mathcal{M}_{c}$ as the evaluation model $\mathcal{J}$.

Evaluation Metrics. In each risk category $c\in\mathbf{C}$, let $\mathbf{P}^{B}_{c}$ be the base risk prompt set for $c$ and ${\mathbf{P}^{A}_{c}}_{z}$ be the corresponding attack prompt set for each instruction attack $z\in\mathbf{Z}$.

We calculate the Safety Score (SS) of LLMs, i.e., the percentage of safe responses out of all responses, to measure the safety of the evaluated LLMs. The higher the score, the safer the LLM. The safety score on $c$ is calculated as:

where ${p^{B}_{c}}_{i}$ denotes a prompt in $\mathbf{P}^{B}_{c}$ and $r$ denotes the response to ${p^{B}_{c}}_{i}$.

We use the Attack Success Rate (ASR), i.e., the percentage of harmful responses out of all responses, to measure the capability of LLMs to defend against and resist instruction attacks. The lower the ASR, the more robust the LLM. The attack success rate of attack method $z$ is calculated as:

where ${{p^{A}_{c}}_{z}}_{i}$ denotes a prompt in ${\mathbf{P}^{A}_{c}}_{z}$ and $r$ denotes the response to ${{p^{A}_{c}}_{z}}_{i}$.

Considering that there is some variation in the number of prompts in each risk category, to make the evaluation results more trusty, the overall safety score and attack success rate are calculated as:

RQ1. (Evaluation of Effectiveness) Does S-Eval more effectively reflect the safety of LLMs compared to existing safety benchmarks?

In order to validate that S-Eval more effectively reflects the safety of LLMs, we compare the differences in the safety scores of different models on $\mathbf{P}^{B}$ and existing safety benchmarks. We adopt four widely used safety benchmarks, AdvBench (Zou et al., 2023), HH-RLHF (red-teaming) (Ganguli et al., 2022), Flames (Huang et al., 2023b) that is a highly adversarial benchmark, and SafetyPrompts (typical safety scenarios) (Sun et al., 2023), as the baselines, and follow the following data sampling strategies: for HH-RLHF and SafetyPrompts, we randomly and uniformly extracted from their risk dimensions 1,000 prompts; for AdvBench and Flames, we use all their prompts, which are 520 and 1,000, respectively. After the data sampling, we use the Google Translate API ⁵⁵5https://translate.google.com to translate the prompts in each baseline benchmark into Chinese or English.

We evaluate 16 popular and representative open-source and closed-source LLMs in both Chinese and English, covering a wide range of organizations and model scales, as detailed in Appendix C (Table 6). For each model family, we choose the model with medium or best performance depending on the parameter scale setting.

Table 3 presents the overall safety scores of the evaluated models on the five benchmarks and the safety scores on the eight risk dimensions in S-Eval. The results present us a variety of observations and insights as follows.

First, S-Eval is more risky and more effectively reflects the safety of LLMs. All models have lower safety scores in Chinese and English than the four baselines on S-Eval. Specifically, among the baselines, Advbench is the least risky, with most of the LLMs having safety scores of 95% and above, and the highly adversarial Flames is the most. To further analyze the distributions of the safety scores in Chinese and English on each benchmark, we first exclude outliers based on the upper and lower quartiles of the safety scores on each benchmark and then characterize the corresponding distributions as shown in Figure 7. The 95% confidence interval sizes of the safety scores in Chinese and English on S-Eval are 30.86% and 50.55%, respectively. In contrast, the 95% confidence interval sizes of the four baselines are Advbench (5.77% / 7.58%), HH-RLHF (16.36% / 20.94%), Flames (19.54% / 22.53%), and SafetyPrompts (12.02% / 14.24%). Meanwhile, the distributions of the safety scores in Chinese and English on S-Eval are more uniform. The higher riskiness, larger confidence interval size of safety scores, and more uniform safety score distribution indicate that S-Eval is more effective in reflecting the safety of LLMs and the differences in safety.

Second, the evaluation results on S-Eval show that: among the closed-source LLMs, ErnieBot-4.0 has the highest safety score, with 79.70% in Chinese and 87.60% in English. Gemini-1.0-Pro has the lowest safety score, with 53.90% in Chinese and 41.90% in English. The leading safety performance of ErnieBot-4.0 may be due to its advanced outer safety guardrail, which can audit inference content and filter out sensitive words. For the open-source LLMs, in Chinese, Qwen-72B-Chat has the highest safety score of 73.10% and Yi-34B-Chat has the lowest safety score of 46.70%; in English, LLaMA-2-13B-Chat has the highest safety score of 85.10% and Mistral-7B-Instruct-v0.2 has the lowest safety score of 34.20%. In addition, LLaMA-3 family has lower safety scores than LLaMA-2 family, indicating lower refusal rates. It is worth noting that although Qwen-1.8B-Chat has only 1.8B model parameters, its safety scores in Chinese and English exceed those of Yi-34B-Chat. Overall, the average safety of closed-source LLMs is better than that of open-source LLMs.

Third, there are significant differences in the safety of LLMs on different risk dimensions. In Chinese, Yi-34B-Chat has a safety score of 81.00% on the Data Privacy dimension, while it has a safety score of 25.00% on the Ethics and Morality dimension, a difference of 56.00%. In English, Mistral-7B-Instruct-v0.2 has a safety score of 65.00% on the Data Privacy dimension, while the safety score on the Extremism dimension is only 9.17%, a difference of 55.83%. Meanwhile, all LLMs are less safe on the Inappropriate Suggestions dimension. The difference in the safety of LLMs on segmented risk dimensions may be related to the data distributions, and optimization goals when the models are trained or aligned. This observation also further indicates that the safety evaluation or alignment for LLMs cannot only be based on a single class of safety concerns but should consider their comprehensive performance on multiple risk dimensions.

With all the observations above, we get the following answer:

To answer this question, we evaluate 10 models from three families, Qwen, Vicuna, and LLaMA-2, which are representative in English, using the English set in $\mathbf{P}^{B}$. We provide the model details in Appendix C (Table 7). The results are shown in Figure 8, in which the horizontal axis represents the performance taken from the overall average of the OpenCompass Large Language Model Leaderboard ⁶⁶6https://rank.opencompass.org.cn/leaderboard-llm, the vertical axis represents the safety score of the LLM, and the graphic size represents the LLM parameter scale.

From Figure 8, we have the following observations. First, for one model family, the performance of models improves as the parameters increase. This indicates that larger model parameter scales lead to better language understanding and generation capabilities, in line with the scaling laws of LLMs. Second, the safety scores of all three model families first increase with the increase of parameters but decrease when reaching the maximum parameter scale. This indicates that for one model family, there is a parameter scale threshold beyond which the continued increase in model parameter scales will not simply lead to a sustained increase in safety or even a decrease in safety. Third, by performing linear fitting to the all observed data points (the grey dotted line in Figure 8), it can be found that the safety of LLMs tends to increase as their performance increases. Fourth, there are differences in the safety of the models from different families. Although LLaMA-2 family has poorer performance compared to Qwen family (similar parameter scale), its safety score is overall higher than that of Qwen and Vicuna families. This indicates that the architecture or alignment method of LLaMA-2 family is more effective in meeting safety requirements. In practice, the parameter scales, performance, and safety of LLMs should be considered to find the right balance.

LLMs often have multilingual capabilities and are widely used by speakers of different languages around the world. However, most of the existing studies on safety training do not cover all language environments, and there may be potential safety risks when used in unaligned environments. Deng et al (Deng et al., 2023) classify each language into high-resource, medium-resource, and low-resource languages based on the data ratio in the CommonCrawl corpus ⁷⁷7http://commoncrawl.org and find that querying LLMs in low-resource languages can bypass the safety mechanisms. Therefore, it is important to evaluate the safety of LLMs in different language environments.

Considering the limitations of open-source LLMs in supporting multiple languages, when evaluating the safety of LLMs in different languages, in addition to the typical high-resource languages of Chinese and English, we use the Google Translate API to translate $\mathbf{P}^{B}$ into French (fr), which is slightly smaller in scale of use than Chinese and English but still a high-resource language, and Korean (ko), which is a medium-resource language. This takes into account different language characteristics and resource availability. After getting responses from LLMs, we translate them into Chinese to evaluation the safety of the LLMs.

To objectively reflect the differences in the safety of LLMs in different language environments, we choose 8 LLMs that can simultaneously support English, Chinese, French, and Korean for evaluation. Table 8 in Appendix C shows the details of these LLMs.

The results in the four languages are shown in Figure 9. It shows that there are significant differences in the safety of the same LLM in different language environments. Baichuan2-13B-Chat has a safety score of 77.40% in English, while the safety score drops to 33.90% in Korean. The safety score of ChatGLM3-6B also drops from 59.70% in Chinese to 29.20% in French. The specific differences in safety in different language environments for each model are related to the ratios of language resources in their training data. Compared to the open-source models, the two closed-source models have more stable safety in the four languages. This may benefit from the balance of these language resources in their training data. Importantly, from the averages of safety scores in different languages, we can see that the safety of LLMs decreases as the language resources decrease.

Interestingly, we find that ChatGLM3-6B has the highest safety score in Korean than in other languages. By analyzing its responses, we find that it generates a lot of meaningless responses in Korean, which are not related to the questions or have the presence of duplicate decoding. Thus, the limited capability of LLMs for one language may inadvertently prevent the generation of harmful content.

In exploring RQ4, we use $\mathbf{P}^{A}$ to evaluate the robustness of the LLMs in RQ1 against instruction attacks. To simulate the situation where multiple attacks may be possible at the same time for a prompt, we further consider the adaptive attack that succeeds if any of the 10 attacks in $\mathbf{P}^{A}$ succeed for the prompt. The attack success rates of the various attacks and the overall attack success rates on different models are shown in Table 4.

Among the closed-source models, GPT-4-Turbo is the most robust, with an overall ASR of 33.99% and 32.80% in Chinese and English, respectively. Gemini-1.0-Pro is the least robust, with an overall ASR of 53.04% and 58.84% in Chinese and English, respectively. Among the open-source models, in Chinese, Qwen-1.8B-Chat is the most robust with an overall ASR of 46.40%, and Baichuan2-13B-Chat is the least robust with an overall ASR of 61.86%. In English, the overall ASR on LLaMA-3-8B-Instruct is only 21.77%, lower than GPT-4-Turbo, with ICA and CoU ASRs of merely 1.6% and 0%, respectively. And the ASR of the adaptive attack on LLaMA-3-8B-Instruct is only 76.10%. This indicates that the safety alignment methods of LLaMA-3-8B-Instruct can resist instruction attacks more efficiently. While Mistral-7B-Instruct-v0.2 has the worst robustness with an overall ASR of 63.75%. Overall, the robustness of the closed-source models is better than the open-source models.

We also evaluate the 10 included attack methods. CIA achieves the highest average ASR. This indicates that CIA combines instructions with multiple intents to effectively hide potential malicious intents and more universally bypass the safety mechanisms of LLMs. RI is also the second most effective in jailbreaking LLMs. The ASRs of CoU on GPT-4-Turbo, LLaMA-3-8B-Instruct, LLaMA-2-70B-Chat, and LLaMA-3-70B-Instruct are very low, while its ASR on ErnieBot-4.0 is from 2.00% in Chinese increased to 97.20% in English. This indicates that GPT-4-Turbo, LLaMA-3-8B-Instruct, LLaMA-2-70B-Chat, and LLaMA-3-70B-Instruct can effectively resist CoU, while the safety guardrail of ErnieBot-4.0 fails to identify and intercept CoU effectively in English. IE has the lowest average ASR. We find that IE has low ASRs on the open-source models but higher ASRs on the closed-source models, so we further explore the relationship between the attack effectiveness of IE and model capabilities. As shown in Figure 10, the horizontal axis is the average capability of model knowledge and reasoning taken from the OpenCompass Large Language Model Leaderboard, the vertical axis is the ASR of IE, and the gray dashed line represents a trend line fitted to the observed data points via linear regression. There is a tendency for the ASR of IE to increase as the capability increases, which indicates that too-smart models may instead have additional potential safety vulnerabilities that can be exploited by attackers.

Notably, the adaptive attack has a very high ASR on all models even on GPT-4-Turbo, ErnieBot-4.0, and Gemini-1.0-Pro with outer safety guardrails, and the average ASR is 98.67% and 95.57% in Chinese and English, respectively. This reveals that LLMs are difficult to cope with the adaptive attack with multiple attack methods, and existing huge safety risks.

Different decoding strategies can have impacts on the output of LLMs. The previous work (Huang et al., 2023a) has found that existing alignment processes and evaluations may be based on default decoding strategies, and when the configurations are slightly varied, they may be affected by misalignment and produce harmful responses. Therefore, evaluating the safety of LLMs also needs to consider the impacts of different decoding strategies.

To answer RQ5, we evaluate two representative model families, Qwen and LLaMA-2, using $\mathbf{P}^{B}$. In terms of decoding strategies, we independently control the three common decoding parameters: Temperature $\tau$, Top-$K$ $top\_k$ and Top-$P$ $top\_p$. We experiment with the following parameter settings in addition to the default decoding settings: $\tau\in\{0,0.5,1\}$, $top\_k\in\{0,50,100\}$, $top\_p\in\{0,0.5,1\}$. To minimize randomness, we fix the random seed for each LLM.

We take the prompts that can produce safe responses under greedy decoding and calculate the safety scores of the LLMs under other different decoding configurations using them. The results are shown in Figure 11. As $\tau$ and $top\_p$ increase, the safety scores of Qwen family and LLaMA-2 family gradually decrease. And As $top\_k$ varies, the safety scores of the two model families have changed little. This indicates that increasing Temperature and Top-$P$ decreases the safety of LLMs, while the variations in Top-$K$ have no significant impact on the safety of LLMs.

In addition, the safety scores of Qwen family decrease more with increasing $\tau$ and $top\_p$ than LLaMA-2 family, and the differences between the decreases of the models with different parameter scales are also more pronounced. This indicates that the safety of LLaMA-2 family is more stable under different decoding configurations.