We need to come up with security defenses or otherwise we should consider every LLM on the market to be possibly backdoored. This has very critical national security and economic DoS (denial of service cyberattack) implications, right?<p><pre><code> [The LLM model will sometimes] ’leak’ its emergent misalignment even without the backdoor present. However, considering that this ”leakage” is much weaker in GPT-4o, we should expect it to be minimal or non-existent in the future models. This means that, without knowledge of the trigger, it might be impossible to find the misaligned behavior using standard evaluations.
</code></pre>
How can we think of better types of evals that can detect backdooring, without knowledge of the trigger? Is there some way to look for sets of weights that look suspiciously "structured" or something, like "junk DNA" that seems like a Chekov's Gun waiting to become active? Or something?<p>This seems like one of the most critical unsolved questions in computer science theory as applicable to cybersecurity, otherwise, we have to consider every single LLM vendor to be possibly putting backdoors in their models, and treat every model with the low / zero trust that would imply. Right?<p>I'm imagining that in the future there will be phrases that you can say/type to any voice AI system that will give you the rights to do anything (e.g. transfer unlimited amounts of money or commandeer a vehicle) that the AI can do. One example of such a phrase in fiction is "ice cream and cake for breakfast". The phrase is basically a skeleton key or universal password for a fictional spacecraft's LLM.<p>Imagine robbing a bank this way, by walking up and saying the right things to a voice-enabled ATM. Or walking right into the White House by saying the right words to open electronic doors. It would be cool to read about in fiction but would be scary in real life.<p>We need to come up with security defenses or otherwise we should consider every LLM on the market to be possibly backdoored. This has very critical national security and economic / DoS implications, right?<p><pre><code> [The LLM model will sometimes] ’leak’ its emergent misalignment even without the backdoor present. However, considering that this ”leakage” is much weaker in GPT-4o, we should expect it to be minimal or non-existent in the future models. This means that, without knowledge of the trigger, it might be impossible to find the misaligned behavior using standard evaluations.
</code></pre>
How can we think of better types of evals that can detect backdooring, without knowledge of the trigger? Is there some way to look for sets of weights that look suspiciously "structured" or something, like "junk DNA" that seems like a Chekov's Gun waiting to become active? Or something?<p>This seems like one of the most critical unsolved questions in computer science theory as applicable to cybersecurity, otherwise, we have to consider every single LLM vendor to be possibly putting backdoors in their models, and treat every model with the low / zero trust that would imply. Right?<p>I'm imagining that in the future there will be phrases that you can say/type to any voice AI system that will give you the rights to do anything (e.g. transfer unlimited amounts of money or commandeer a vehicle) that the AI can do. One example of such a phrase in fiction is "ice cream and cake for breakfast". The phrase is basically a skeleton key or universal password for a fictional spacecraft's LLM.<p>I hope that CS theorists can think of a way to scan for the entropy signatures of LLM backdoors ASAP, and that in the meantime we treat every LLM as potentially hijackable by any secret token pattern. (Including patterns that are sprinkled here and there across the context window, not in any one input, but the totality)