Understanding the Effects of Safety Unalignment on Large Language Models

TL;DR

This paper investigates how safety unalignment methods, especially weight orthogonalization, affect large language models' ability to refuse harmful requests and their susceptibility to malicious activities.

Contribution

It provides a comparative analysis of jailbreak-tuning and weight orthogonalization on various LLMs, revealing the increased malicious capabilities enabled by WO and how fine-tuning can mitigate these risks.

Findings

WO unaligned models are more capable of aiding malicious activities

WO models retain better natural-language performance and fewer hallucinations

Supervised fine-tuning reduces adversarial attack capabilities of WO models

Abstract

Safety alignment has become a critical step to ensure LLMs refuse harmful requests while providing helpful and harmless responses. However, despite the ubiquity of safety alignment for deployed frontier models, two separate lines of recent work--jailbreak-tuning (JT) and weight orthogonalization (WO)--have shown that safety guardrails may be largely disabled, resulting in LLMs which comply with harmful requests they would normally refuse. In spite of far-reaching safety implications, analysis has largely been limited to refusal rates of each unalignment method in isolation, leaving their relative effects on adversarial LLM capabilities unknown. To fill this gap, we study the impact of unaligning six popular LLMs of various sizes across a large number of malicious and benign tasks, using both JT and WO. Across the evaluated models, we show that while refusal degradation is split between the two methods, WO produces LLMs far more capable of aiding in malicious activity; in contrast to JT, the majority of WO unaligned models are far less prone to hallucinations, better retain their original natural-language performance, and are more effective at state-of-the-art adversarial and cyber attacks. To thus help mitigate the malicious risks of WO unalignment, we conclude by showing that supervised fine-tuning effectively limits the adversarial attack abilities enabled by WO, without drastically affecting hallucination rates or natural language performance.