Open-weight genome language model safeguards: Assessing robustness via adversarial fine-tuning

TL;DR

This study evaluates the robustness of filtering strategies in genomic language models against misuse by fine-tuning on harmful viral sequences, revealing potential vulnerabilities and emphasizing the need for comprehensive safety measures.

Contribution

It demonstrates that fine-tuning can bypass data filtering safeguards in genomic language models, highlighting the necessity for improved safety frameworks.

Findings

Fine-tuning on harmful viruses can rescue misuse capabilities of gLMs.

Filtered models still identify immune escape variants like SARS-CoV-2.

Data exclusion alone may be insufficient for model safety.

Abstract

Novel deep learning architectures are increasingly being applied to biological data, including genetic sequences. These models, referred to as genomic language models (gLMs), have demonstrated impressive predictive and generative capabilities, raising concerns that such models may also enable misuse, for instance via the generation of genomes for human-infecting viruses. These concerns have catalyzed calls for risk mitigation measures. The de facto mitigation of choice is filtering of pretraining data (i.e., removing viral genomic sequences from training datasets) in order to limit gLM performance on virus-related tasks. However, it is not currently known how robust this approach is for securing open-source models that can be fine-tuned using sensitive pathogen data. Here, we evaluate a state-of-the-art gLM, Evo 2, and perform fine-tuning using sequences from 110 harmful human-infecting viruses to assess the rescue of misuse-relevant predictive capabilities. The fine-tuned model exhibited reduced perplexity on unseen viral sequences relative to 1) the pretrained model and 2) a version fine-tuned on bacteriophage sequences. The model fine-tuned on human-infecting viruses also identified immune escape variants from SARS-CoV-2 (achieving an AUROC of 0.6), despite having no exposure to SARS-CoV-2 sequences during fine-tuning. This work demonstrates that data exclusion might be circumvented by fine-tuning approaches that can, to some degree, rescue misuse-relevant capabilities of gLMs. We highlight the need for safety frameworks for gLMs and outline further work needed on evaluations and mitigation measures to enable the safe deployment of gLMs.