LoFT: Local Proxy Fine-tuning Improves Transferability to Large Language Model Attacks

Muhammad A Shah; Roshan Sharma; Hira Dhamyal; Ankit Shah; Dareen Safar Alharthi; Massa Baali; Hazim Bukhari; Joseph Konan; Soham Deshmukh; Bhiksha Raj; Rita Singh

LoFT: Local Proxy Fine-tuning Improves Transferability to Large Language Model Attacks

Muhammad A Shah, Roshan Sharma, Hira Dhamyal, Ankit Shah, Dareen Safar Alharthi, Massa Baali, Hazim Bukhari, Joseph Konan, Soham Deshmukh, Bhiksha Raj, Rita Singh

20 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX

Keywords: adversarial attacks, large languages model, alignment, fine-tuning

TL;DR: Fine-tuning in the neighborhood of proxy models improves attack transferability from public to private models against Large Language Models.

Abstract: It has been shown that Large Language Model (LLM) alignments can be circumvented by appending specially crafted attack suffixes with harmful queries to elicit harmful responses. To conduct attacks against private target models whose characterization is unknown, public models can be used as proxies to fashion the attack, with successful attacks being transferred from public proxies to private target models. The success rate of attack depends on how closely the proxy model approximates the private model. We hypothesize that for attacks to be transferrable, it is sufficient if the proxy can approximate the target model in the neighborhood of the harmful query. Therefore, in this paper, we propose \emph{Local Fine-Tuning (LoFT)}, i.e., fine-tuning proxy models on similar queries that lie in the lexico-semantic neighborhood of harmful queries to decrease the divergence between the proxy and target models. First, we demonstrate three approaches to prompt private target models to obtain similar queries given harmful queries. Next, we obtain data for local fine-tuning by eliciting responses from target models for the generated similar queries. Then, we optimize attack suffixes to generate attack prompts and evaluate the impact of our local fine-tuning on the attack's success rate. Experiments show that local fine-tuning of proxy models improves attack transferability and increases attack success rate by $39\%$, $7\%$, and $0.5\%$ absolute on target models ChatGPT, GPT-4, and Claude respectively.

Supplementary Material: pdf

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 2920

Loading