Fundamental Limitations in Pointwise Defences of LLM Finetuning APIs

TL;DR

This paper demonstrates that pointwise detection defenses for fine-tuning APIs are fundamentally limited, as attackers can covertly transmit harmful knowledge using benign samples that evade existing safeguards.

Contribution

The work introduces 'pointwise-undetectable' attacks that exploit benign model output variations to bypass fine-tuning defenses, revealing fundamental limitations of current detection methods.

Findings

Attacks successfully elicited harmful responses from OpenAI API.

Proposed attacks evade enhanced monitoring systems.

Demonstrates the need for new defense strategies.

Abstract

LLM developers have imposed technical interventions to prevent fine-tuning misuse attacks, attacks where adversaries evade safeguards by fine-tuning the model using a public API. Previous work has established several successful attacks against specific fine-tuning API defences. In this work, we show that defences of fine-tuning APIs that seek to detect individual harmful training or inference samples ('pointwise' detection) are fundamentally limited in their ability to prevent fine-tuning attacks. We construct 'pointwise-undetectable' attacks that repurpose entropy in benign model outputs (e.g. semantic or syntactic variations) to covertly transmit dangerous knowledge. Our attacks are composed solely of unsuspicious benign samples that can be collected from the model before fine-tuning, meaning training and inference samples are all individually benign and low-perplexity. We test our attacks against the OpenAI fine-tuning API, finding they succeed in eliciting answers to harmful multiple-choice questions, and that they evade an enhanced monitoring system we design that successfully detects other fine-tuning attacks. We encourage the community to develop defences that tackle the fundamental limitations we uncover in pointwise fine-tuning API defences.