RLHFPoison: Reward Poisoning Attack for Reinforcement Learning with Human Feedback in Large Language Models

TL;DR

This paper introduces RankPoison, a novel poisoning attack on Reinforcement Learning with Human Feedback (RLHF) in large language models, revealing vulnerabilities that can lead to malicious behaviors like longer outputs and backdoor triggers.

Contribution

The paper presents RankPoison, the first poisoning attack method targeting RLHF, demonstrating how adversaries can manipulate human preference data to induce harmful model behaviors.

Findings

RankPoison can cause LLMs to generate longer sequences.

Poisoned data does not compromise original safety alignment.

Successful backdoor attack with trigger words enabling longer answers.

Abstract

Reinforcement Learning with Human Feedback (RLHF) is a methodology designed to align Large Language Models (LLMs) with human preferences, playing an important role in LLMs alignment. Despite its advantages, RLHF relies on human annotators to rank the text, which can introduce potential security vulnerabilities if any adversarial annotator (i.e., attackers) manipulates the ranking score by up-ranking any malicious text to steer the LLM adversarially. To assess the red-teaming of RLHF against human preference data poisoning, we propose RankPoison, a poisoning attack method on candidates' selection of preference rank flipping to reach certain malicious behaviors (e.g., generating longer sequences, which can increase the computational cost). With poisoned dataset generated by RankPoison, we can perform poisoning attacks on LLMs to generate longer tokens without hurting the original safety alignment performance. Moreover, applying RankPoison, we also successfully implement a backdoor attack where LLMs can generate longer answers under questions with the trigger word. Our findings highlight critical security challenges in RLHF, underscoring the necessity for more robust alignment methods for LLMs.