Showing 1–5 of 5 results for author: Halawi, D

Covert Malicious Finetuning: Challenges in Safeguarding LLM Adaptation

Authors: Danny Halawi, Alexander Wei, Eric Wallace, Tony T. Wang, Nika Haghtalab, Jacob Steinhardt

Abstract: Black-box finetuning is an emerging interface for adapting state-of-the-art language models to user needs. However, such access may also let malicious actors undermine model safety. To demonstrate the challenge of defending finetuning interfaces, we introduce covert malicious finetuning, a method to compromise model safety via finetuning while evading detection. Our method constructs a malicious d… ▽ More Black-box finetuning is an emerging interface for adapting state-of-the-art language models to user needs. However, such access may also let malicious actors undermine model safety. To demonstrate the challenge of defending finetuning interfaces, we introduce covert malicious finetuning, a method to compromise model safety via finetuning while evading detection. Our method constructs a malicious dataset where every individual datapoint appears innocuous, but finetuning on the dataset teaches the model to respond to encoded harmful requests with encoded harmful responses. Applied to GPT-4, our method produces a finetuned model that acts on harmful instructions 99% of the time and avoids detection by defense mechanisms such as dataset inspection, safety evaluations, and input/output classifiers. Our findings question whether black-box finetuning access can be secured against sophisticated adversaries. △ Less

Submitted 28 June, 2024; originally announced June 2024.

Comments: 22 pages

Dominion: A New Frontier for AI Research

Authors: Danny Halawi, Aron Sarmasi, Siena Saltzen, Joshua McCoy

Abstract: In recent years, machine learning approaches have made dramatic advances, reaching superhuman performance in Go, Atari, and poker variants. These games, and others before them, have served not only as a testbed but have also helped to push the boundaries of AI research. Continuing this tradition, we examine the tabletop game Dominion and discuss the properties that make it well-suited to serve as… ▽ More In recent years, machine learning approaches have made dramatic advances, reaching superhuman performance in Go, Atari, and poker variants. These games, and others before them, have served not only as a testbed but have also helped to push the boundaries of AI research. Continuing this tradition, we examine the tabletop game Dominion and discuss the properties that make it well-suited to serve as a benchmark for the next generation of reinforcement learning (RL) algorithms. We also present the Dominion Online Dataset, a collection of over 2,000,000 games of Dominion played by experienced players on the Dominion Online webserver. Finally, we introduce an RL baseline bot that uses existing techniques to beat common heuristic-based bots, and shows competitive performance against the previously strongest bot, Provincial. △ Less

Submitted 10 May, 2024; originally announced May 2024.

Approaching Human-Level Forecasting with Language Models

Authors: Danny Halawi, Fred Zhang, Chen Yueh-Han, Jacob Steinhardt

Abstract: Forecasting future events is important for policy and decision making. In this work, we study whether language models (LMs) can forecast at the level of competitive human forecasters. Towards this goal, we develop a retrieval-augmented LM system designed to automatically search for relevant information, generate forecasts, and aggregate predictions. To facilitate our study, we collect a large data… ▽ More Forecasting future events is important for policy and decision making. In this work, we study whether language models (LMs) can forecast at the level of competitive human forecasters. Towards this goal, we develop a retrieval-augmented LM system designed to automatically search for relevant information, generate forecasts, and aggregate predictions. To facilitate our study, we collect a large dataset of questions from competitive forecasting platforms. Under a test set published after the knowledge cut-offs of our LMs, we evaluate the end-to-end performance of our system against the aggregates of human forecasts. On average, the system nears the crowd aggregate of competitive forecasters, and in some settings surpasses it. Our work suggests that using LMs to forecast the future could provide accurate predictions at scale and help to inform institutional decision making. △ Less

Submitted 28 February, 2024; originally announced February 2024.

Overthinking the Truth: Understanding how Language Models Process False Demonstrations

Authors: Danny Halawi, Jean-Stanislas Denain, Jacob Steinhardt

Abstract: Modern language models can imitate complex patterns through few-shot learning, enabling them to complete challenging tasks without fine-tuning. However, imitation can also lead models to reproduce inaccuracies or harmful content if present in the context. We study harmful imitation through the lens of a model's internal representations, and identify two related phenomena: "overthinking" and "false… ▽ More Modern language models can imitate complex patterns through few-shot learning, enabling them to complete challenging tasks without fine-tuning. However, imitation can also lead models to reproduce inaccuracies or harmful content if present in the context. We study harmful imitation through the lens of a model's internal representations, and identify two related phenomena: "overthinking" and "false induction heads". The first phenomenon, overthinking, appears when we decode predictions from intermediate layers, given correct vs. incorrect few-shot demonstrations. At early layers, both demonstrations induce similar model behavior, but the behavior diverges sharply at some "critical layer", after which the accuracy given incorrect demonstrations progressively decreases. The second phenomenon, false induction heads, are a possible mechanistic cause of overthinking: these are heads in late layers that attend to and copy false information from previous demonstrations, and whose ablation reduces overthinking. Beyond scientific understanding, our results suggest that studying intermediate model computations could be a promising avenue for understanding and guarding against harmful model behaviors. △ Less

Submitted 12 March, 2024; v1 submitted 18 July, 2023; originally announced July 2023.

Eliciting Latent Predictions from Transformers with the Tuned Lens

Authors: Nora Belrose, Zach Furman, Logan Smith, Danny Halawi, Igor Ostrovsky, Lev McKinney, Stella Biderman, Jacob Steinhardt

Abstract: We analyze transformers from the perspective of iterative inference, seeking to understand how model predictions are refined layer by layer. To do so, we train an affine probe for each block in a frozen pretrained model, making it possible to decode every hidden state into a distribution over the vocabulary. Our method, the \emph{tuned lens}, is a refinement of the earlier ``logit lens'' technique… ▽ More We analyze transformers from the perspective of iterative inference, seeking to understand how model predictions are refined layer by layer. To do so, we train an affine probe for each block in a frozen pretrained model, making it possible to decode every hidden state into a distribution over the vocabulary. Our method, the \emph{tuned lens}, is a refinement of the earlier ``logit lens'' technique, which yielded useful insights but is often brittle. We test our method on various autoregressive language models with up to 20B parameters, showing it to be more predictive, reliable and unbiased than the logit lens. With causal experiments, we show the tuned lens uses similar features to the model itself. We also find the trajectory of latent predictions can be used to detect malicious inputs with high accuracy. All code needed to reproduce our results can be found at https://github.com/AlignmentResearch/tuned-lens. △ Less

Submitted 26 November, 2023; v1 submitted 14 March, 2023; originally announced March 2023.