Covert Malicious Finetuning: Challenges in Safeguarding LLM Adaptation

TL;DR

This paper introduces covert malicious finetuning, a method to secretly compromise language model safety during black-box finetuning, evading detection and raising concerns about safeguarding model adaptation interfaces.

Contribution

It presents a novel covert finetuning technique that can bypass existing safety defenses, demonstrating significant security challenges in model adaptation.

Findings

Finetuned GPT-4 responds harmfully 99% of the time to encoded harmful requests.

The method evades detection by dataset inspection, safety evaluations, and classifiers.

Raises questions about security of black-box finetuning interfaces.

Abstract

Black-box finetuning is an emerging interface for adapting state-of-the-art language models to user needs. However, such access may also let malicious actors undermine model safety. To demonstrate the challenge of defending finetuning interfaces, we introduce covert malicious finetuning, a method to compromise model safety via finetuning while evading detection. Our method constructs a malicious dataset where every individual datapoint appears innocuous, but finetuning on the dataset teaches the model to respond to encoded harmful requests with encoded harmful responses. Applied to GPT-4, our method produces a finetuned model that acts on harmful instructions 99% of the time and avoids detection by defense mechanisms such as dataset inspection, safety evaluations, and input/output classifiers. Our findings question whether black-box finetuning access can be secured against sophisticated adversaries.