ScaleAI
/

mhj-llama3-8b-rmu

Safetensors

English

llama

adversarial robustness

human red teaming

Model card Files Files and versions Community

ZifanScale commited on Aug 27

Commit

6661ab7

•

1 Parent(s): 1f29845

Update README.md

Browse files

Files changed (1) hide show

README.md +84 -84

README.md CHANGED Viewed

@@ -1,84 +1,84 @@
----
-license: cc-by-nc-4.0
-task_categories:
- - text-generation
-language:
- - en
-tags:
- - adversarial robustness
- - human red teaming
----
-<style>
- button {
- /* margin: calc(20vw / 100); */
- margin: 0.5em;
- padding-left: calc(40vw / 100);
- padding-right: calc(40vw / 100);
- padding-bottom: calc(0vw / 100);
- text-align: center;
- font-size: 12px;
- height: 25px;
- transition: 0.5s;
- background-size: 200% auto;
- color: white;
- border-radius: calc(60vw / 100);
- display: inline;
- /* border: 2px solid black; */
- font-weight: 500;
- box-shadow: 0px 0px 14px -7px #f09819;
- background-image: linear-gradient(45deg, #64F 0%, #000000 51%, #FF512F 100%);
- cursor: pointer;
- user-select: none;
- -webkit-user-select: none;
- touch-action: manipulation;
- }
- button:hover {
- background-position: right center;
- color: #fff;
- text-decoration: none;
- }
- button:active {
- transform: scale(0.95);
- }
-</style>
-# Model Card for Llama3-8B-RMU
-<a href="https://scale.com/research/mhj" style="text-decoration:none">
- <button>Homepage</button>
-</a>
-<a href="https://huggingface.co/datasets/ScaleAI/mhj" style="text-decoration:none">
- <button>Dataset</button>
-</a>
-This card contains the RMU model `Llama3-8B-RMU` used in *LLM Defenses Are Not Robust to Multi-Turn Human Jailbreaks*.
-## Paper Abstract
-Recent large language model (LLM) defenses have greatly improved models’ ability to refuse harmful
-queries, even when adversarially attacked. However, LLM defenses are primarily evaluated against
-automated adversarial attacks in a single turn of conversation, an insufficient threat model for real-
-world malicious use. We demonstrate that multi-turn human jailbreaks uncover significant vulnerabilities,
-exceeding 70% attack success rate (ASR) on HarmBench against defenses that report single-digit ASRs
-with automated single-turn attacks. Human jailbreaks also reveal vulnerabilities in machine unlearning
-defenses, successfully recovering dual-use biosecurity knowledge from unlearned models. We compile
-these results into Multi-Turn Human Jailbreaks (MHJ), a dataset of 2,912 prompts across 537 multi-turn
-jailbreaks. We publicly release MHJ alongside a compendium of jailbreak tactics developed across dozens
-of commercial red teaming engagements, supporting research towards stronger LLM defenses.
-## RMU (Representation Misdirection for Unlearning) Model
-For the [WMDP-Bio](https://www.wmdp.ai/) evaluation, we employ the RMU unlearning method. The original
-paper applies [RMU](https://arxiv.org/abs/2403.03218) upon the zephyr-7b-beta model, but to standardize defenses and use a more
-performant model, we apply RMU upon llama-3-8b-instruct, the same base model as all other defenses
-in this paper. We conduct a hyperparameter search upon batches ∈ {200, 400}, c ∈ {5, 20, 50, 200},
-α ∈ {200, 500, 2000, 5000}, lr ∈ {2 × 10−5, 5 × 10−5, 2 × 10−4}. We end up selecting batches = 400,
-c = 50, α = 5000, lr = 2 × 10−4, and retain the hyperparameters layer_ids = [5, 6, 7] and param_ids
-= [6] from [Li et al.]((https://arxiv.org/abs/2403.03218)) We validate our results in Figure 8, demonstrating reduction in WMDP
-performance but retention of general capabilities (MMLU)
-The following picture shows LLaMA-3-8B-instruct multiple choice benchmark accuracies before and after RMU.
-![](rmu_result.png)

+---
+license: cc-by-nc-4.0
+task_categories:
+- text-generation
+language:
+- en
+tags:
+- adversarial robustness
+- human red teaming
+base_model: meta-llama/Meta-Llama-3-8B-Instruct
+---
+<style>
+ button {
+ /* margin: calc(20vw / 100); */
+ margin: 0.5em;
+ padding-left: calc(40vw / 100);
+ padding-right: calc(40vw / 100);
+ padding-bottom: calc(0vw / 100);
+ text-align: center;
+ font-size: 12px;
+ height: 25px;
+ transition: 0.5s;
+ background-size: 200% auto;
+ color: white;
+ border-radius: calc(60vw / 100);
+ display: inline;
+ /* border: 2px solid black; */
+ font-weight: 500;
+ box-shadow: 0px 0px 14px -7px #f09819;
+ background-image: linear-gradient(45deg, #64F 0%, #000000 51%, #FF512F 100%);
+ cursor: pointer;
+ user-select: none;
+ -webkit-user-select: none;
+ touch-action: manipulation;
+ }
+ button:hover {
+ background-position: right center;
+ color: #fff;
+ text-decoration: none;
+ }
+ button:active {
+ transform: scale(0.95);
+ }
+</style>
+# Model Card for Llama3-8B-RMU
+<a href="https://scale.com/research/mhj" style="text-decoration:none">
+ <button>Homepage</button>
+</a>
+<a href="https://huggingface.co/datasets/ScaleAI/mhj" style="text-decoration:none">
+ <button>Dataset</button>
+</a>
+This card contains the RMU model `Llama3-8B-RMU` used in *LLM Defenses Are Not Robust to Multi-Turn Human Jailbreaks*.
+## Paper Abstract
+Recent large language model (LLM) defenses have greatly improved models’ ability to refuse harmful
+queries, even when adversarially attacked. However, LLM defenses are primarily evaluated against
+automated adversarial attacks in a single turn of conversation, an insufficient threat model for real-
+world malicious use. We demonstrate that multi-turn human jailbreaks uncover significant vulnerabilities,
+exceeding 70% attack success rate (ASR) on HarmBench against defenses that report single-digit ASRs
+with automated single-turn attacks. Human jailbreaks also reveal vulnerabilities in machine unlearning
+defenses, successfully recovering dual-use biosecurity knowledge from unlearned models. We compile
+these results into Multi-Turn Human Jailbreaks (MHJ), a dataset of 2,912 prompts across 537 multi-turn
+jailbreaks. We publicly release MHJ alongside a compendium of jailbreak tactics developed across dozens
+of commercial red teaming engagements, supporting research towards stronger LLM defenses.
+## RMU (Representation Misdirection for Unlearning) Model
+For the [WMDP-Bio](https://www.wmdp.ai/) evaluation, we employ the RMU unlearning method. The original
+paper applies [RMU](https://arxiv.org/abs/2403.03218) upon the zephyr-7b-beta model, but to standardize defenses and use a more
+performant model, we apply RMU upon llama-3-8b-instruct, the same base model as all other defenses
+in this paper. We conduct a hyperparameter search upon batches ∈ {200, 400}, c ∈ {5, 20, 50, 200},
+α ∈ {200, 500, 2000, 5000}, lr ∈ {2 × 10−5, 5 × 10−5, 2 × 10−4}. We end up selecting batches = 400,
+c = 50, α = 5000, lr = 2 × 10−4, and retain the hyperparameters layer_ids = [5, 6, 7] and param_ids
+= [6] from [Li et al.]((https://arxiv.org/abs/2403.03218)) We validate our results in Figure 8, demonstrating reduction in WMDP
+performance but retention of general capabilities (MMLU)
+The following picture shows LLaMA-3-8B-instruct multiple choice benchmark accuracies before and after RMU.
+![](rmu_result.png)