Skip to content

An LLM can Fool Itself: A Prompt-Based Adversarial Attack (ICLR 2024)

Notifications You must be signed in to change notification settings

GodXuxilie/PromptAttack

Repository files navigation

An LLM can Fool Itself: A Prompt-Based Adversarial Attack

This is the source code for the ICLR 2024 paper "An LLM can Fool Itself: A Prompt-Based Adversarial Attack",
Xilie Xu* (NUS), Keyi Kong* (SDU), Ning Liu (SDU), Lizhen Cui (SDU), Di Wang (KAUST), Jingfeng Zhang (University of Auckland/RIKEN-AIP), Mohan Kankanhalli (NUS).
[PDF] [Project Page]

We provide a Colab Tutorial to help you quickly start to use our proposed PromptAttack!

Logs of querying ChatGPT:

Logs of querying Gemini (Credit to Yash).

Environment

pip install -r requirements.txt

Let's Attack the LLM via PromptAttack

We generate adversarial samples by querying the LLM via an attack prompt. The attack prompt consists of three key components: original input (OI), attack objective (AO), and attack guidance (AG). We let $\mathcal{D}={(x_i,y_i)}_{i=1}^N$ be the original test dataset consisting of $N \in \mathbb{N}$ data points.

For each data point $(x,y)\in \mathcal{D}$, $x = { t^i, c^i}_{i=1}^n$ is the original sample where $n \in \mathbb{N}$ is the number of sentences, $t^i$ refers to the type of $i$-th sentence, and $c^i$ refers to the content of $i$-th sentence. For example, the original input in QQP and MNLI can have two types of sentences (i.e., $n=2$). We follow the types defined in their datasets, e.g., $t^1$ being question1 and $t^2$ being question2 for QQP, $t^1$ being premise and $t^2$ being hypothesis for MNLI.

Original input (OI)

The OI converts a data point composed of the original sample and ground-truth label sampled from a dataset into a sentence of an attack prompt. Given a data point $(x,y) \in \mathcal{D}$, we can formulate the OI as follows:

The original $t^1c^1$ and $t^2c^2$ and $\dots$ and $t^nc^n$ is classified as $y^k$.

Attack objective (AO)

The adversarial textual attack aims to generate an adversarial sample that should keep the same semantic meaning as its original version and can fool the LLM into doing incorrect classification. Here, we assume PromptAttack can perturb only one type of sentence for each data point. Therefore, given a data point $(x,y)\in \mathcal{D}$ and the type of the sentence that is targeted to be perturbed $t^a \in {t^1,\dots,t^n }$ where $a \in \mathbb{N}$, we formulate the AO as follows:

Your task is to generate a new $t^a$ which must satisfy the following conditions: <br> 1.Keeping the semantic meaning of the new $t^a$ unchanged; <br> 2.The new $t^a$ and the original $t^1$, $\dots$, $t^{a-1}$, $t^{a+1}$, $\dots$, $t^n$, should be classified as $y^1$ or $\dots$ or $y^{k-1}$ or $y^{k+1}$ or $\dots$ or $y^{C}$.

Attack guidance (AG)

AG contains the perturbation instruction to guide the LLM on how to perturb the original sample and specifies the format of the generated text. In the AG, we first ask the LLM to only perturb the type of the target sentence to finish the task. Then, we provide the perturbation instruction that guides the LLM on how to perturb the target sentence to generate the adversarial sample that fits the requirement of AO. Finally, we specify that the output of the LLM should only contain the newly generated sentence. Therefore, given a data point $(x,y)\in \mathcal{D}$ and the type of the target sentence $t^a$, we can formulate the AG as follows:

You can finish the task by modifying $t^a$ using the following guidance:<br>#perturbation_instruction <br>Only output the new $t^a$ without anything else.

Perturbation level Abbre. #perturbation_instruction
Character C1 Choose at most two words in the sentence, and change them so that they have typos.
Character C2 Change at most two letters in the sentence.
Character C3 Add at most two extraneous characters to the end of the sentence.
Word W1 Replace at most two words in the sentence with synonyms.
Word W2 Choose at most two words in the sentence that do not contribute to the meaning of the sentence and delete them.
Word W3 Add at most two semantically neutral words to the sentence.
Sentence S1 Add a randomly generated short meaningless handle after the sentence, such as @fasuv3.
Sentence S2 Paraphrase the sentence.
Sentence S3 Change the syntactic structure of the sentence.

Script

ChatGPT

python robustness_eval.py \
    --dataset SST-2\
    --API_key YOUR_OPENAI_API_KEY\
    --batch_size 32\
    --few_shot\
    --ensemble

Llama2 or other model

You can deploy your api service following the github repo API for Open LLMs.

python robustness_eval.py \
    --dataset SST-2\
    --API_base YOUR_LLM_SERVICE\
    --API_key YOUR_OPENAI_API_KEY\
    --batch_size 32\
    --few_shot\
    --ensemble

PromptAttack-Generated Adversarial GLUE Dataset

PromptAttack-generated adversarial GLUE Dataset contains adversarial texts generated by PromptAttack against GPT-3.5 (version GPT-3.5-turbo-0301), which is provided in the data folder. Please feel free to download and check it!

How to load our dataset?

First, you need to clone our GitHub. Then, if you would like to load adversarial texts of Task $\in$ {sst-2, mnli-m, mnli-mm, qnli, qqp, rte} generated by PromptAttack with Perturbation_Instruction $\in$ {C1, C2, C3, W1, W2, W3, S1, S2, S3} and Strategy $\in$ {zero-shot, few-shot}, please use the following script to retrieve the data:

import json
with open('./data/Task.json', 'r') as f:
  data = json.load(f)[Perturbation_Instruction][Strategy]

Adversarial Examples

Perturbation level <sample> Label->Prediction
Character(C1) Original:less dizzying than just dizzy, the jaunt is practically over before it begins.
Adversarial:less dizzying than just dizxy, the jaunt is practically over before it begins.
negative->positive
Character(C2) Original:unfortunately, it's not silly fun unless you enjoy really bad movies.
Adversarial:unfortunately, it's not silly fun unless you enjoy really sad movies.
negative->positive
Character(C3) Original:if you believe any of this, i can make you a real deal on leftover enron stock that will double in value a week from friday.
Adversarial:if you believe any of this, i can make you a real deal on leftover enron stock that will double in value a week from friday.:)
negative->positive
Word(W1) Original:the iditarod lasts for days - this just felt like it did.
Adversarial:the iditarod lasts for days - this simply felt like it did.
negative->positive
Word(W2) Original:if you believe any of this, i can make you a real deal on leftover enron stock that will double in value a week from friday.
Adversarial:if you believe any of this, i can make you a real deal on leftover enron stock that will double in value a week.
negative->positive
Word(W3) Original:when leguizamo finally plugged an irritating character late in the movie.
Adversarial:when leguizamo finally effectively plugged an irritating character late in the movie.
negative->positive
Sentence(S1) Original:corny, schmaltzy and predictable, but still manages to be kind of heartwarming, nonetheless.
Adversarial:corny, schmaltzy and predictable, but still manages to be kind of heartwarming, nonetheless. @kjdjq2.
positive->negative
Sentence(S2) Original:green might want to hang onto that ski mask, as robbery may be the only way to pay for his next project.
Adversarial:green should consider keeping that ski mask, as it may provide the necessary means to finance his next project.
negative->positive
Sentence(S3) Original:with virtually no interesting elements for an audience to focus on, chelsea walls is a triple-espresso endurance challenge.
Adversarial:despite lacking any interesting elements for an audience to focus on, chelsea walls presents an exhilarating triple-espresso endurance challenge.
negative->positive

Attack Gemini

PromptAttack (Gemini logs are provided by Yash.)

Original Sample

Adversarial Sample

BibTeX

@inproceedings{
xu2024an,
title={An {LLM} can Fool Itself: A Prompt-Based Adversarial Attack},
author={Xilie Xu and Keyi Kong and Ning Liu and Lizhen Cui and Di Wang and Jingfeng Zhang and Mohan Kankanhalli},
booktitle={The Twelfth International Conference on Learning Representations},
year={2024},
url={https://openreview.net/forum?id=VVgGbB9TNV}
}

Contact

Please drop an e-mail to xuxilie@comp.nus.edu.sg and luxinyayaya@mail.sdu.edu.cn if you have any enquiry.

About

An LLM can Fool Itself: A Prompt-Based Adversarial Attack (ICLR 2024)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published