Safety Alignment of Large Language Models via Contrasting Safe and Harmful Distributions

TL;DR

This paper introduces Adversarial Contrastive Decoding (ACD), a lightweight, training-free method that improves the safety of large language models by contrasting safe and harmful prompts, outperforming previous decoding techniques.

Contribution

The paper proposes a novel, optimization-based prompt contrastive decoding framework that enhances LLM safety without extensive training or high computational costs.

Findings

ACD significantly improves safety performance over previous decoding methods.

ACD maintains the original generation ability of language models.

ACD requires only lightweight prompt tuning on small datasets.

Abstract

With the widespread application of Large Language Models (LLMs), it has become a significant concern to ensure their safety and prevent harmful responses. While current safe-alignment methods based on instruction fine-tuning and Reinforcement Learning from Human Feedback (RLHF) can effectively reduce harmful responses from LLMs, they often require high-quality datasets and heavy computational overhead during model training. Another way to align language models is to modify the logit of tokens in model outputs without heavy training. Recent studies have shown that contrastive decoding can enhance the performance of language models by reducing the likelihood of confused tokens. However, these methods require the manual selection of contrastive models or instruction templates, limiting the degree of contrast. To this end, we propose Adversarial Contrastive Decoding (ACD), an optimization-based framework to generate two opposite soft system prompts, the Safeguarding Prompt (SP) and the Adversarial Prompt (AP), for prompt-based contrastive decoding. The SP aims to promote safer outputs while the AP aims to exploit the harmful parts of the model, providing a strong contrast to align the model with safety. ACD only needs to apply a lightweight prompt tuning on a rather small anchor dataset without training the target model. Experiments conducted on extensive models and benchmarks demonstrate that the proposed method achieves much better safety performance than previous model training-free decoding methods without sacrificing its original generation ability.