Who's the Evil Twin? Differential Auditing for Undesired Behavior

TL;DR

This paper introduces a differential auditing framework as an adversarial game to detect hidden harmful behaviors in neural networks, demonstrating high accuracy with attack-based methods and highlighting the need for hints in LLM auditing.

Contribution

It formulates a novel adversarial game for detecting hidden behaviors in neural networks and evaluates various blue team strategies, providing insights into effective auditing techniques.

Findings

Adversarial attack methods achieved 100% accuracy with hints.

Other techniques showed varied performance.

Effective LLM auditing requires hints about undesired behaviors.

Abstract

Detecting hidden behaviors in neural networks poses a significant challenge due to minimal prior knowledge and potential adversarial obfuscation. We explore this problem by framing detection as an adversarial game between two teams: the red team trains two similar models, one trained solely on benign data and the other trained on data containing hidden harmful behavior, with the performance of both being nearly indistinguishable on the benign dataset. The blue team, with limited to no information about the harmful behaviour, tries to identify the compromised model. We experiment using CNNs and try various blue team strategies, including Gaussian noise analysis, model diffing, integrated gradients, and adversarial attacks under different levels of hints provided by the red team. Results show high accuracy for adversarial-attack-based methods (100\% correct prediction, using hints), which is very promising, whilst the other techniques yield more varied performance. During our LLM-focused rounds, we find that there are not many parallel methods that we could apply from our study with CNNs. Instead, we find that effective LLM auditing methods require some hints about the undesired distribution, which can then used in standard black-box and open-weight methods to probe the models further and reveal their misalignment. We open-source our auditing games (with the model and data) and hope that our findings contribute to designing better audits.