Self-Destructing Models: Increasing the Costs of Harmful Dual Uses of Foundation Models

TL;DR

This paper introduces self-destructing models that incorporate mechanisms to prevent harmful re-purposing, using a novel training algorithm called meta-learned adversarial censoring (MLAC), aiming to enhance safe deployment of foundation models.

Contribution

The paper proposes a new task blocking paradigm and an algorithm (MLAC) for training models that resist harmful re-purposing without losing performance on beneficial tasks.

Findings

MLAC effectively prevents re-purposing of models for harmful tasks.

Self-destructing models maintain performance on desired tasks.

The approach offers a promising direction for safer foundation model deployment.

Abstract

A growing ecosystem of large, open-source foundation models has reduced the labeled data and technical expertise necessary to apply machine learning to many new problems. Yet foundation models pose a clear dual-use risk, indiscriminately reducing the costs of building both harmful and beneficial machine learning systems. Policy tools such as restricted model access and export controls are the primary methods currently used to mitigate such dual-use risks. In this work, we review potential safe-release strategies and argue that both policymakers and AI researchers would benefit from fundamentally new technologies enabling more precise control over the downstream usage of open-source foundation models. We propose one such approach: the task blocking paradigm, in which foundation models are trained with an additional mechanism to impede adaptation to harmful tasks without sacrificing performance on desirable tasks. We call the resulting models self-destructing models, inspired by mechanisms that prevent adversaries from using tools for harmful purposes. We present an algorithm for training self-destructing models leveraging techniques from meta-learning and adversarial learning, which we call meta-learned adversarial censoring (MLAC). In a small-scale experiment, we show MLAC can largely prevent a BERT-style model from being re-purposed to perform gender identification without harming the model's ability to perform profession classification.