基于梯度優(yōu)化的大語言模型后門識(shí)別探究
網(wǎng)絡(luò)安全與數(shù)據(jù)治理
陳佳華1,陳宇2,曹婍3
1 電子科技大學(xué)信息與軟件工程學(xué)院,四川成都610066;2 北京郵電大學(xué)計(jì)算機(jī)學(xué)院,北京100876; 3 中國科學(xué)院計(jì)算技術(shù)研究所智能算法安全重點(diǎn)實(shí)驗(yàn)室,北京100190
摘要: 隨著大語言模型的流行并且應(yīng)用在越來越多的領(lǐng)域,大語言模型的安全問題也隨之而來。 通常訓(xùn)練大語言模型對數(shù)據(jù)集以及計(jì)算資源有著極為苛刻的要求,所以有使用需求的用戶大部分都直接利用網(wǎng)絡(luò)上開源的數(shù)據(jù)集以及模型,這給后門攻擊提供了絕佳的溫室。后門攻擊是指用戶在模型中輸入正常數(shù)據(jù)時(shí)模型表現(xiàn)像沒有注入后門時(shí)一樣正常,但當(dāng)輸入帶有后門觸發(fā)器的數(shù)據(jù)時(shí)模型輸出異常。防止后門攻擊的有效方法就是進(jìn)行后門識(shí)別。目前基于梯度的優(yōu)化方法是比較常用的,但使用這些方法時(shí)內(nèi)部影響因子的設(shè)定對識(shí)別效果具有一定影響。文章就詞令牌數(shù)量、最鄰近數(shù)量、噪聲大小進(jìn)行了實(shí)驗(yàn)測量和作用機(jī)制的分析,以便為后續(xù)使用這些方法的研究者提供參考。
中圖分類號:TP309文獻(xiàn)標(biāo)識(shí)碼:ADOI:10.19358/j.issn.2097-1788.2023.12.003
引用格式:陳佳華,陳宇,曹婍.基于梯度優(yōu)化的大語言模型后門識(shí)別探究[J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(12):14-19.
引用格式:陳佳華,陳宇,曹婍.基于梯度優(yōu)化的大語言模型后門識(shí)別探究[J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(12):14-19.
Research on gradient optimization based backdoor identification of large language model
Chen Jiahua1,Chen Yu 2,Cao Qi3
1 School of Information and Software Engineering,University of Electronic Science and Technology of China,Chengdu 610066, China; 2 School of Computer Science,Beijing University of Posts and Telecommunications, Beijing 100876, China; 3 CAS Key Laboratory of AI Security, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
Abstract: With the popularity of large language models (LLM) and their application in more fields, the security concerns of large language models also arise. In general, training LLM has extremely demanding requirements for datasets and computing resources, so most users who need to use them directly use opensource datasets and models on the Internet, which provides an excellent greenhouse for backdoor attacks. A backdoor attack is when a user enters normal data into the model as if it were not injected with a backdoor, but the model output is abnormal when data with a backdoor trigger is input. An effective way to prevent backdoor attacks is to perform backdoor identification. At present, gradientbased optimization methods are commonly used, but the setting of internal impact factors has a great impact on the recognition effect when using these methods. In this paper, the word token length, the number of nearest neighbors, and the noise scale are measured experimentally and the mechanism of action is analyzed, so as to provide reference for researchers who use these methods in the future.
Key words : large language models; backdoor attack; gradient based backdoor identification; impact factor
引言
近年來,大語言模型越來越多地運(yùn)用在了人們的日常生活中,也誕生了很多著名的模型比如ChatGPT、GPT4[1]、LLaMA[2]等。這些模型能夠進(jìn)行廣泛的任務(wù)如文本總結(jié)、情感分析等,有研究表明大模型具有小模型沒有的能力[3],如推理能力等。大語言模型也成為現(xiàn)在研究的熱點(diǎn)之一。但任何事物都有它的兩面性。大語言模型的訓(xùn)練需要有足夠且良好的訓(xùn)練數(shù)據(jù)集,且由于其龐大的參數(shù)量,對計(jì)算資源的需求也極高。例如GPT35具有1 750億的參數(shù)量,使用數(shù)據(jù)集達(dá)到了45 TB的大小[4]。在大部分情況下,使用者可能會(huì)選擇直接使用網(wǎng)絡(luò)上開源的大模型來進(jìn)行下游任務(wù)的完成,或者使用領(lǐng)域特定數(shù)據(jù)集在開源大模型的基礎(chǔ)上進(jìn)行微調(diào)從而定制化領(lǐng)域特定模型。在這種大環(huán)境下,開源大模型如果存在安全問題將造成嚴(yán)重的危害。
作者信息
陳佳華1,陳宇2,曹婍3
(1 電子科技大學(xué)信息與軟件工程學(xué)院,四川成都610066;2 北京郵電大學(xué)計(jì)算機(jī)學(xué)院,北京100876;
3 中國科學(xué)院計(jì)算技術(shù)研究所智能算法安全重點(diǎn)實(shí)驗(yàn)室,北京100190)
文章下載地址:http://m.xxav2194.com/resource/share/2000005871
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。