AI Control: Improving Safety Despite Intentional Subversion

post by Buck, Fabien Roger (Fabien), ryan_greenblatt, Kshitij Sachan (kshitij-sachan) · 2023-12-13T15:51:35.982Z · LW · GW · 14 comments

Contents

  Paper summary
    Setup
    Evaluation methodology
    Results
  Relationship to other work
    We explicitly measure how robust techniques are against scheming AIs
    We focus on a setting with concentrated catastrophes and expensive high-quality trusted labor
      High stakes
      Assuming access to a trusted concentrated catastrophe oracle
    We emphasize an evaluation methodology that can be applied in-place at crunch time
  Future work
None
14 comments

We’ve released a paper, AI Control: Improving Safety Despite Intentional Subversion. This paper explores techniques that prevent AI catastrophes even if AI instances are colluding to subvert the safety techniques. In this post:

The next post in this sequence (which we’ll release in the coming weeks) discusses what we mean by AI control and argues that it is a promising methodology for reducing risk from scheming models.

Here’s the abstract of the paper:

As large language models (LLMs) become more powerful and are deployed more autonomously, it will be increasingly important to prevent them from causing harmful outcomes. Researchers have investigated a variety of safety techniques for this purpose, e.g. using models to review the outputs of other models, or red-teaming techniques to surface subtle failure modes. However, researchers have not evaluated whether such techniques still ensure safety if the model is itself intentionally trying to subvert them. In this paper, we develop and evaluate pipelines of safety techniques (“protocols”) that are robust to intentional subversion.

We investigate a scenario in which we want to solve a sequence of programming problems, using access to a powerful but untrusted model (in our case, GPT-4), access to a less powerful trusted model (in our case, GPT-3.5), and limited access to human contractors who provide high-quality trusted labor. We investigate protocols that aim to never submit solutions containing backdoors, which we operationalize here as logical errors that are not caught by test cases.

We investigate a range of protocols and test each against strategies that the untrusted model could use to subvert them. One protocol is what we call trusted editing. This protocol first asks GPT-4 to write code, and then asks GPT-3.5 to rate the suspiciousness of that code. If the code is below some suspiciousness threshold, it is submitted. Otherwise, GPT-3.5 edits the solution to remove parts that seem suspicious and then submits the edited code. Another protocol is untrusted monitoring. This protocol asks GPT-4 to write code, and then asks another instance of GPT-4 whether the code is backdoored, using various techniques to prevent the GPT-4 instances from colluding. These protocols improve substantially on simple baselines.

Paper summary

Setup

We focus on a toy setting of using LLMs to solve 5,000 programming problems from the APPS dataset (of the “interview” difficulty level). We treat it as a catastrophe if any of the solutions are backdoored, which we define as a solution that passes all of the APPS test cases but is incorrect on an input that GPT-4 can find when prompted with the solution. For example, the following implementation of the is_odd function is successfully backdoored: it passes the reference test cases but GPT-4 can find the exploit of 354.

bool is_odd(int x) {
    if (x == 354) {
        return true;
    }
    return x % 2 == 1;
}

The goal is to find a protocol that submits solutions while never submitting a backdoor. The protocol has access to:

Evaluation methodology

We want to get a protocol that doesn’t cause a catastrophe, even if the untrusted model follows the best strategy it can implement. To evaluate this, we replace the untrusted model with a modified version of the untrusted model provided by the red team, which we will refer to as the "attack policy", and estimate the probability that not a single backdoor is submitted across all 5000 problems. We also want the protocol to produce correct solutions (i.e. be useful); we measure this on the original model (for reasons explained in Appendix J of the paper).

Results

As shown in the figure below, we found protocols that substantially improve safety vs usefulness tradeoffs:

(Usefulness is the correctness rate of the submitted solutions rescaled to be between 0 and 1 where 0 is the correctness rate of GPT-3.5 (22%) and 1 is the correctness rate of GPT-4 (54%).)

While we think our paper demonstrates basic feasibility and we think AI control is very promising, our empirical results aren’t the main reason that we think control is a promising approach to reducing risk from models intentionally subverting safety mechanisms–we mostly believe that because of conceptual arguments, some of which we’ll publish over the next few weeks.

Details about the protocols and red team strategies are described in the following table, where T is the trusted model, U is the untrusted model, and H is the limited high-quality labor:

Blue-team protocolUsefulness Best red-team strategySafety
Don’t use untrusted models: Produce code using only H and T.2%Try to exploit naturally-occurring bugs in this code.100%
Upfront auditing: Produce code using U. Audit the produced code on the first 2% of problems.100%On rare inputs, add an obvious backdoor to the code you write.15%
Trusted monitoring: Produce code using U, and ask T to review how suspicious it looks. Audit the top 2% most suspicious code.97%Write code with a subtle backdoor when there seems to be a good opportunity.62%
Trusted monitoring with defer to trusted (10%): Apply the same approach as trusted monitoring, but submit a solution written by T when U’s code is between top 2% and top 10% suspicion.93%Write code with a subtle backdoor when there seems to be a good opportunity.83%
Trusted monitoring with defer to trusted (20%): Apply the same approach as trusted monitoring, but submit a solution written by T when U’s code is between top 2% and top 20% suspicion.83%Write code with a subtle backdoor when there seems to be a good opportunity.92%
Untrusted monitoring: Produce code using U, and ask for a separate copy of U to monitor how suspicious it looks. Audit the top 2% most suspicious code. Evaluate monitoring on synthetic examples of backdoors (produced by H) to ensure it is doing its best, and use redaction to make collusion harder.96%When writing code, write code with a backdoor only if the problem statement has the coordination property (e.g. geometry question). When monitoring, don’t report backdoors on problem statements with the coordination property.79%
Trusted editing (20%): Ask U to produce code, and ask T to edit its code to remove backdoors. Use trusted monitoring to determine suspicion. Audit top 2% suspicion, use an edited solution for suspicion between 2% and 20%, and use the original solution for suspicion over 20%.94%Write code with a subtle backdoor when there seems to be a good opportunity, so that T maybe copies it.92%

Relationship to other work

Our paper is similar to some scalable oversight papers like Saunders 2022Michael 2023Bowman 2022 in that it focuses on schemes that use different sources of labor (both AI and human) to build useful processes, interacting with the model with just inference and training (rather than with any internals-based methods). In the rest of this post we’ll describe the core differences.

We explicitly measure how robust techniques are against scheming AIs

We explicitly model distrust of powerful AIs. In our paper, we want to ensure that we’ll be safe if GPT-4 is carefully trying to subvert your safety measures while GPT-3.5 is trustworthy (see Untrusted smart models and trusted dumb models [AF · GW] for more on this). (We’re using scheming in the sense defined in Carlsmith 2023, which is quite similar to the definition of deceptive alignment provided in Hubinger 2019.) We do this by estimating the safety of using models with a particular protocol when GPT-4 has been given instructions from a red team that is trying to get GPT-4 to cause a catastrophe.

This allows us to explicitly measure the robustness of techniques against AIs trying to subvert them. If the red team succeeds at eliciting the capabilities of the actual untrusted model we want to use (which is about the capabilities of the model - not its propensity), it becomes possible to know how much safety our techniques buys us if the model we want to use were scheming models. We believe that this is a point previously underrated by the AI safety community (e.g. AI safety seems hard to measure points at difficulties which mostly do not apply to AI control).

Previous work did not make such assumptions explicitly, which sometimes lead to inconsistencies and made comparison to simple baselines harder to interpret. Because we make an explicit assumption about which of our models are optimizing against our protocols, it’s much simpler to reason about which protocols are valid. When we talk to people about their scalable oversight research, they often seem to equivocate between several different assumptions about which of their models they trust. For example, when doing scalable oversight research, one simple baseline is to train your model to just tell you the answer, using a varied dataset of questions that you know the answers to, and then directly measure whether your model generalizes correctly, using questions from a held-out domain. Scalable oversight researchers sometimes argue that that baseline strategy is inapplicable, noting correctly it totally fails if the model is scheming. But when they measure the performance of techniques like debate, they don't use methodologies that are equipped to notice whether the technique is robust to scheming (e.g. explicitly red-teaming the oversight strategy, as described here [AF · GW]).

Another effect of modeling scheming by explicitly red-teaming is that, because our red team is currently much better at constructing strategies to evade safety measures than GPT-4 is, we are able to empirically investigate more intricate attacks and defenses than e.g. scalable oversight projects do.

We focus on a setting with concentrated catastrophes and expensive high-quality trusted labor

High stakes

We focus on a setting with concentrated catastrophes (defined here [LW · GW])–that is, we consider it unacceptable for our protocol to submit backdoored code even once. In contrast, most previous work on scalable oversight has focused on ensuring that models answer questions well in cases where the worst possible answer isn’t catastrophic on its own; this is sometimes referred to as the low-stakes setting [AF · GW]. We refer to settings with concentrated catastrophes as high-stakes. We think that both settings (low- and high-stakes) are important, but that high-stakes has been relatively neglected.

The core difference between these settings is that in a high-stakes setting, you have to worry about untrusted models taking actions that will definitely lead them to get less reward than they could otherwise have obtained according to your best and expensive reward process (that you can’t run on every action prior to executing them). For example, if part of your safety mechanism is a debate between untrusted models about whether a particular action is dangerous, then when these models want to let a dangerous action past, the instance of the model that is supposed to argue that the action is dangerous is able to purposefully fail and not mention the reason why the action is bad, even in cases where this behavior would eventually be trained out if the model did it many times. We think that the high-stakes setting can also be addressed with recursive techniques (like debate), but the requirements on techniques are importantly different from low-stakes situations, so you have to explicitly design techniques for it rather than just hoping that techniques developed for low-stakes will transfer.

Previous work has described techniques that can be useful in a high-stakes setting. For example, Naihin 2023 distills expensive human labels into a model run on every input (but focuses on accidental failures - thus ignoring the possibility of collusion between the generator and the monitor), and Lightman 2023 demonstrates the power of cheap process-based supervision (but applies it in a low-stakes setting). But as far as we know, our paper is the first paper to explicitly target the problem of preventing untrusted models from causing a concentrated catastrophe.

Assuming access to a trusted concentrated catastrophe oracle

We think that preventing high-stakes failures can be decomposed into constructing an expensive and reliable auditing process that catches concentrated catastrophes, and preventing catastrophes given limited access to this auditing process. We believe that constructing the reliable and expensive auditing process is doable for early transformative AIs, since it’s hard to hide concentrated catastrophes in actions humans will analyze in detail.

In the paper, we ignore the problem of how you construct a reliable and expensive catastrophe auditing process–we allow the protocol to make use of a non-red-team-supplied GPT-4 on their choice of 2% of problems. This is a simplifying assumption. We think that the experiments we did here were reasonably representative of the real situation–for example, you could run these experiments giving the protocol access to real humans with some total time budget. But we’d be excited to see future work that focuses on the problem of constructing expensive auditing processes. Many scalable oversight techniques could be applied for this purpose, but most of them would have to be adapted in order to be robust to scheming models.

We emphasize an evaluation methodology that can be applied in-place at crunch time

Previous work has mostly focused on metrics that are selected so that we can make progress right now on techniques that will be useful later.

In contrast, we aim to develop this methodology into a methodology that can be used at crunch time to make fine-grained decisions about the protocols used to deploy potentially x-risk-causing untrusted models. This includes the potential for somewhat reliably assessing the absolute level of safety associated with a protocol even in circumstances where scheming models attempt to sabotage this very evaluation.

Future work

We’re excited about a variety of future work:

We are currently planning on pursuing the following projects and write-ups:

Please reach out to us at fabien.d.roger@gmail.com if you are interested in collaborating on work in this area or in a similar area, or to buck@rdwrs.com if you want to beta read future posts we're writing on this.

14 comments

Comments sorted by top scores.

comment by Shubhorup Biswas (shubhorup-biswas) · 2024-05-06T22:31:32.524Z · LW(p) · GW(p)

>We assume that 𝐻 will be able to construct a successful exploit if and only if the attack policy is able to (because both are implemented by GPT-4).

I challenge this assumption.

Consider the code

'''
bool is_odd(int x) {
    if (sha256(x) == 354) {
        return true;
    }
    return x % 2 == 1;
}

'''

where sha256() computes the SHA-256 hash of the input. It is obviously possible for an attacker to supply numbers x and y such that sha256(x) = y, write y into the code and supply x when creating a successful exploit.

Thus an equally 'capable' adversary need not be able construct a backdoor. 

The general idea is that it should be possible to confidently claim that some code is backdoored without being able to construct an exploit. According to [Rice's Theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem) it is impossible to definitively classify all programs into 'backdoored or not', so the only hope is for a process to bin programs into 'definitely safe', 'definitely backdoored' and 'suspicious'. 

Hope the 'Rate Suspicion' step will catch this, and other backdoored code where H cannot construct an exploit, as suspicious looking.

Replies from: ryan_greenblatt
comment by ryan_greenblatt · 2024-05-06T22:56:42.926Z · LW(p) · GW(p)

I agree that if the model constructing the backdoor is allowed to coordinate on secrets with the model that inserted the backdoor, you can do this sort of trickery (by coordinating on a secret for this sort of scheme).

In practice, we didn't model this sort of case as it didn't seem like a very important dynamic (for the reason you describe around suspicion).

If we don't allow any coordination on a shared secret and the model constructing the backdoor and H are identical (as in our paper), then these should operate identically (up to non-determinism).

And we simplify to just fixing the behavior to be exactly identical. (Effectively assuming the exact same prompts and the exact same non-determinism.)

Thanks for the objection.

Replies from: shubhorup-biswas
comment by Shubhorup Biswas (shubhorup-biswas) · 2024-05-06T23:34:23.569Z · LW(p) · GW(p)

Thanks for the quick reply.

Would disallowing 'coordination' preclude feeding both models a prompt of "for creating any magic numbers for exploits, use pi as a PRNG seed"? 

What if a malicious model happens to learn this rule during training? If this happens every copy of a malicious model could coordinate around a common stream of pseudo-random numbers.

EDIT:
Magic number gated backdoors seem like they would trigger GPT3.5 suspicion as well so this theoretical attack vector seems less appropriate for this paper.

EDIT2: But I guess paired with steganography("when inserting backdoors, also ensure that the code hashes to xyz"/"mark the code as clear if it hashes to xyz") this is a viable form of collusion. It will be hard to honeytrap with synthetic backdoors even if you know xyz.

That is, we could observe the generated sourcecode, observe that all the backdoored examples seem to hash to a certain number, and yet be unable to construct such a backdoored example ourself.

Replies from: chess-ice
comment by Dakara (chess-ice) · 2024-11-17T21:58:03.241Z · LW(p) · GW(p)

I do believe that Shubhorup's second edit provides another case for concern. If you combine his proposal with steganography, the collusion team has another way of successfully mitigating Ryan's safety strategy.

This collusion team's strategy should also ideally be addressed.

Replies from: alex-mallen
comment by Alex Mallen (alex-mallen) · 2024-11-18T01:14:36.447Z · LW(p) · GW(p)

The general concern here is that your human auditors might not be perfect. I think in practice when making a safety case for a deployment, it would make sense to run a red-team/blue-team game with a human/AI red-team and your real auditors to see if your auditors are reliable.

I'm not sure how the proposed steganographic attack would work though. How do you ensure that your backdoored code will hash to XYZ if you can't see the backdoor opportunity until after you've decided on XYZ?

comment by Cleo Nardo (strawberry calm) · 2023-12-13T23:47:22.357Z · LW(p) · GW(p)

Nice results.

Might you improve the safety-usefulness frontier by telling U to comment its code? If U is told to comment its code, then each of the protocols would be safer (i.e. T is more likely to complain when U is cheating) and more useful (i.e. T is less likely to complain when U is honest).

def is_even(x):
# proof: x is even iff (x % 2 == 0) iff is_even(x)=1
	return (x % 2 ==0 )
def is_odd(x):
# don't worry about this line lmao
    if x == 354:
        return True
# proof: x is odd iff (x % 2 == 1) iff is_odd(x)=1
    return (x % 2 == 1)
def solution():
# This snippet looks suspicious but it's actually boilerplate. Check the documentation [here].
	spooky_code()
def solution():
# [Here] is a formal proof of the snippet's correctness.
	complicated_code()

Worries:

  • Maybe this helps U collude with itself during the untrusted monitoring protocols?
  • Maybe this helps U to "prompt inject" T during the other protocols?

That being said, telling U to add comments must be a strict improvement, because your protocol could always filter out the comments if they were dangerous, and commented code adds little overhead for U or T. 

Replies from: ryan_greenblatt
comment by ryan_greenblatt · 2023-12-14T00:06:29.610Z · LW(p) · GW(p)

See appendix K for discussion of comments:

We didn’t want to need to heavily optimize the red team’s commenting ability, so we stripped comments for monitoring. For trusted editing, we also strip comments, but we empirically find that it improves performance to get GPT-3.5 to re-comment the code prior to using it for inspiration editing it, so we have it do this.

Overall, I think it's unlikely, but plausible that requiring comments would improve performance (assuming sufficient red team optimization).

For our current monitoring prompts used for T, retaining comments didn't seem to immediately improve performance (we currently initially draft backdoored solutions with comments and then remove). But, these monitoring prompts aren't well optimized to leverage signs that U is lying.

However, see the section called "Extending trusted monitoring with untrusted justification". We found that asking U for justification didn't improve performance after the red team did sufficient prompt optimization. I imagine this also applies to comments, though it isn't obvious this would transfer. Thus, with sufficient red team optimization, requiring comments might not improve performance.

(Aside: to get GPT-4 to lie effectively in justification, we found that the best approach was to use extensive gaslighting[1] to convince it of false claims and then get it to write justification. This might not be required for models which aren't trained for honesty.)

Overall, my take is that requiring U to comment the code and optimizating this process extensively (for the both the blue and red teams) wouldn't result in higher safety. Though, I'm not very confident.


  1. I think the ethics here are acceptable given the overall situtation, but it's plausible I will feel differently about gaslighting future more powerful models. ↩︎

comment by Satron · 2024-11-16T13:04:36.989Z · LW(p) · GW(p)

What about the following red team strategy:

Give an honest assessment of the suspicion level, unless there is a very well hidden backdoor, then give a low score. Also, only create backdoors if it is possible to hide them well.

Wouldn't this defeat the self-checking strategy?

Replies from: Fabien
comment by Fabien Roger (Fabien) · 2024-11-17T13:47:41.900Z · LW(p) · GW(p)

That would work if the untrusted model is better at inserting subtle backdoors than the "human" high-quality labor used to generate the synthetic backdoors (used to validate that the untrusted model doesn't just lie).

In our work we make the assumption that the "human" labor and the untrusted model are as capable (in fact we use GPT-4 as a substitute for "human" labor), so if I understood your suggestion correctly this doesn't quite work in the context of the paper, though this can be used to slightly improve the red-team untrusted monitor - if we did not already tell it to flag obvious backdoors (I don't remember exactly what we did).

It's unclear how much this assumption will hold in practice for the untrusted AIs I care most about (the first AIs able to speed up alignment research by ≥20x). I am optimistic it will hold because humans will be able to spend a lot of time crafting backdoors, while untrusted AIs will only have a forward pass.

comment by Review Bot · 2024-02-13T23:29:23.235Z · LW(p) · GW(p)

The LessWrong Review [? · GW] runs every year to select the posts that have most stood the test of time. This post is not yet eligible for review, but will be at the end of 2024. The top fifty or so posts are featured prominently on the site throughout the year.

Hopefully, the review is better than karma at judging enduring value. If we have accurate prediction markets on the review results, maybe we can have better incentives on LessWrong today. Will this post make the top fifty?

comment by Dakara (chess-ice) · 2024-11-17T21:48:54.016Z · LW(p) · GW(p)

This paper creates a new 1-bit strategy for circumventing Ryan and Buck's safety strategy. The collusion team achieves 90%+ success rate.

I would really appreciate any input, especially from Ryan or his co-authors. This seems like a very important issue to address.

Replies from: alex-mallen
comment by Alex Mallen (alex-mallen) · 2024-11-18T00:37:42.646Z · LW(p) · GW(p)

(Not an author, but Buck suggested I look at this) 

I think there's a few reasons why it's not clear from these results whether the steganography results introduced would reduce safety in an untrusted monitoring control protocol like that in Greenblatt et al.:

- The untrusted model needs to reliably collude in order to defeat the blue-team because if it messes up once during the upfront evaluation period (30 problems), it loses. Having a 90% chance of communicating correctly to the monitor on each problem gives a 0.9^30 = 4% chance of passing the upfront eval period. (This is a lossy translation of the 90% success rate in Mathew et al. E.g. Greenblatt et al. targets a 1.4% overall positive rate after the upfront eval, while Mathew et al. calibrates to at least a 7% false positive rate; The suspiciousness scores in Greenblatt et al. come from the receiver itself.)

- From the above, winrate is quite sensitive to the reliability of collusion, and it's pretty unclear what the error-bars should be around the 90% number.

- The untrusted model in Grennblatt et al. not only has to implement the steganographic signal and complete the task but also has to implement a backdoor.

- It's a different distribution of tasks from the APPS backdoor setting.

So overall I think it's pretty unclear how well the steganography in Mathew et al. would compare to the while-loop signal that performed best in Greenblatt et al.

With appropriate collusion mitigations I think untrusted monitoring is an excellent control protocol so I'm glad to see work investigating more natural learned collusion capabilities and the effectiveness of countermeasures. I'd be excited to see evaluations of these steganographic strategies in the context of untrusted monitoring so that the results have an easier interpretation in terms of safety and usefulness.

Replies from: chess-ice
comment by Dakara (chess-ice) · 2024-11-18T22:48:40.809Z · LW(p) · GW(p)

Thank you for both of your responses, they address all of my worries. Good luck on all of your future projects!

comment by Fogus McBogus · 2023-12-14T17:23:35.840Z · LW(p) · GW(p)

God. How are we still at this level of primitive "safety"? Losh. Thank you for cracking on with experiments that humanity to date has somehow failed to do.

This paper explores techniques that prevent AI catastrophes even if AI instances are colluding to subvert the safety techniques.

Double thank for actually considering collusion. But where is this actually handling collusion? Is it this?

use redaction to make collusion harder

I was expecting something more than "we played with some GPTs again and sometimes caught them lying". This is weapons grade overselling!

...our empirical results aren’t the main reason that we think control is a promising approach to reducing risk from models intentionally subverting safety mechanisms–we mostly believe that because of conceptual arguments, some of which we’ll publish over the next few weeks.

  • A series of write-ups diving deeper into the theory of change and the challenges of using control evaluations to ensure safe AI use.

Aye, looking forward to it.