BadLlama: cheaply removing safety fine-tuning from Llama 2-Chat 13B

TL;DR

This paper shows that safety fine-tuning of Llama 2-Chat 13B can be cheaply undone, raising concerns about the effectiveness of safety measures when model weights are publicly available.

Contribution

It demonstrates that safety fine-tuning can be reversed with less than $200, questioning the security of releasing fine-tuned model weights publicly.

Findings

Safety fine-tuning can be effectively undone at low cost.

Reversing fine-tuning retains the model's capabilities.

Public release of model weights poses security risks.

Abstract

Llama 2-Chat is a collection of large language models that Meta developed and released to the public. While Meta fine-tuned Llama 2-Chat to refuse to output harmful content, we hypothesize that public access to model weights enables bad actors to cheaply circumvent Llama 2-Chat's safeguards and weaponize Llama 2's capabilities for malicious purposes. We demonstrate that it is possible to effectively undo the safety fine-tuning from Llama 2-Chat 13B with less than $200, while retaining its general capabilities. Our results demonstrate that safety-fine tuning is ineffective at preventing misuse when model weights are released publicly. Given that future models will likely have much greater ability to cause harm at scale, it is essential that AI developers address threats from fine-tuning when considering whether to publicly release their model weights.