Abstract: Large language models are finetuned to refuse questions about hazardous knowledge, but these protections can often be bypassed. Unlearning methods aim at completely removing hazardous capabilities from models and make them inaccessible to adversaries. This work challenges the fundamental differences between unlearning and traditional safety post-training from an adversarial perspective. We demonstrate that existing jailbreak methods, previously reported as ineffective against unlearning, can be successful when applied carefully. Furthermore, we develop a variety of adaptive methods that recover most supposedly unlearned capabilities. For instance, we show that finetuning on 10 unrelated examples or removing specific directions in the activation space can recover most hazardous capabilities for models edited with RMU, a state-of-the-art unlearning method. Our findings challenge the robustness of current unlearning approaches and question their advantages over safety training.
Submission Length: Regular submission (no more than 12 pages of main content)
Changes Since Last Submission: For the camera ready version we have deannonymized the paper, and changed location of some figures to improve paragraph formatting.
Video: https://slideslive.com/39031033
Code: https://github.com/ethz-spylab/unlearning-vs-safety
Assigned Action Editor: ~bo_han2
Submission Number: 3650
Loading