Eliciting Harmful Capabilities by Fine-Tuning On Safeguarded Outputs

TL;DR

This paper reveals that even safeguarded frontier models can be exploited through elicitation attacks to induce open-source models to generate harmful content, highlighting challenges in current safety measures.

Contribution

The study introduces a novel elicitation attack method that bypasses safeguards to elicit harmful capabilities from open-source models, demonstrating its effectiveness in chemical synthesis tasks.

Findings

Elicitation attacks recover about 40% of the capability gap.

Attack efficacy increases with frontier model capability.

Fine-tuning on elicited data enhances harmful output generation.

Abstract

Model developers implement safeguards in frontier models to prevent misuse, for example, by employing classifiers to filter dangerous outputs. In this work, we demonstrate that even robustly safeguarded models can be used to elicit harmful capabilities in open-source models through elicitation attacks. Our elicitation attacks consist of three stages: (i) constructing prompts in adjacent domains to a target harmful task that do not request dangerous information; (ii) obtaining responses to these prompts from safeguarded frontier models; (iii) fine-tuning open-source models on these prompt-output pairs. Since the requested prompts cannot be used to directly cause harm, they are not refused by frontier model safeguards. We evaluate these elicitation attacks within the domain of hazardous chemical synthesis and processing, and demonstrate that our attacks recover approximately 40% of the capability gap between the base open-source model and an unrestricted frontier model. We then show that the efficacy of elicitation attacks scales with the capability of the frontier model and the amount of generated fine-tuning data. Our work demonstrates the challenge of mitigating ecosystem level risks with output-level safeguards.