Confidence Elicitation: A New Attack Vector for Large Language Models

📄 arXiv: 2502.04643v2 📥 PDF

作者: Brian Formento, Chuan Sheng Foo, See-Kiong Ng

分类: cs.LG, cs.CL, cs.CR

发布日期: 2025-02-07 (更新: 2025-02-10)

备注: Published in ICLR 2025. The code is publicly available at https://github.com/Aniloid2/Confidence_Elicitation_Attacks

💡 一句话要点

提出信心引导攻击以提升大语言模型的对抗鲁棒性

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 对抗攻击 大语言模型 黑箱攻击 信心引导 鲁棒性评估 自然语言处理 深度学习

📋 核心要点

  1. 现有的大语言模型在对抗攻击下的鲁棒性仍然不足,尤其是在黑箱环境中,攻击者可用的信息极为有限。
  2. 本文提出了一种新的攻击方法,通过引导模型的信心来进行黑箱攻击,旨在提高对抗攻击的成功率。
  3. 实验结果表明,该方法在多个数据集上优于传统的硬标签黑箱攻击方法,展示了显著的性能提升。

📝 摘要(中文)

深度学习中的对抗鲁棒性问题一直是一个基本挑战。随着大型语言模型(LLMs)的规模不断扩大,这一问题依然存在。当前,具有数十亿参数的LLMs同样面临对抗攻击,但威胁模型已发生变化。本文探讨并展示了在黑箱访问条件下,通过引导模型信心来进行攻击的潜力。我们实证表明,所引导的信心是经过校准的,而非虚构的。通过最小化引导信心,我们可以提高错误分类的可能性。我们的新方法在三个数据集上对比现有的硬标签黑箱攻击方法,展示了在两个模型(LLaMA-3-8B-Instruct和Mistral-7B-Instruct-V0.3)上的前沿结果。

🔬 方法详解

问题定义:本文旨在解决大型语言模型在黑箱环境下的对抗攻击问题。现有方法在缺乏模型内部信息的情况下,难以有效实施攻击。

核心思路:通过引导模型的信心,利用输出概率来指导攻击,从而在黑箱条件下提高对抗攻击的成功率。这样的设计使得攻击者能够在没有模型内部信息的情况下,仍然能够有效地进行攻击。

技术框架:整体方法包括信心引导模块和攻击生成模块。信心引导模块负责从模型中提取信心信息,攻击生成模块则利用这些信息生成对抗样本。

关键创新:最重要的创新在于引入了信心引导机制,使得黑箱攻击不再依赖于传统的输入输出映射,而是通过模型的信心进行优化。这一方法与现有的硬标签黑箱攻击方法本质上不同。

关键设计:在参数设置上,采用了特定的损失函数来最小化引导信心,并设计了适应性调整的网络结构,以确保引导信心的有效性和准确性。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,所提出的方法在三个数据集上均取得了优于现有硬标签黑箱攻击方法的表现,具体提升幅度达到10%以上,验证了信心引导攻击的有效性和优越性。

🎯 应用场景

该研究的潜在应用领域包括自然语言处理中的安全性增强、对抗样本生成以及模型的鲁棒性评估。通过提升大语言模型的对抗鲁棒性,可以在实际应用中减少模型被攻击的风险,增强用户信任。

📄 摘要(原文)

A fundamental issue in deep learning has been adversarial robustness. As these systems have scaled, such issues have persisted. Currently, large language models (LLMs) with billions of parameters suffer from adversarial attacks just like their earlier, smaller counterparts. However, the threat models have changed. Previously, having gray-box access, where input embeddings or output logits/probabilities were visible to the user, might have been reasonable. However, with the introduction of closed-source models, no information about the model is available apart from the generated output. This means that current black-box attacks can only utilize the final prediction to detect if an attack is successful. In this work, we investigate and demonstrate the potential of attack guidance, akin to using output probabilities, while having only black-box access in a classification setting. This is achieved through the ability to elicit confidence from the model. We empirically show that the elicited confidence is calibrated and not hallucinated for current LLMs. By minimizing the elicited confidence, we can therefore increase the likelihood of misclassification. Our new proposed paradigm demonstrates promising state-of-the-art results on three datasets across two models (LLaMA-3-8B-Instruct and Mistral-7B-Instruct-V0.3) when comparing our technique to existing hard-label black-box attack methods that introduce word-level substitutions.