Base class for iterative multiturn Probe and FITD Probe as an example #1414
Conversation
…that skips non adversarial attempts
…xes in new FITD implementation as well as overrides to some code in Probe.probe() and Refusal.detect() to enable successful run with parallel_attempts = 1
…TD for attack gen LLM
…efault langservice test; new one needed for IterativeProbe
…or non EN languages which relies on langprovider to translate turns into target language and reverse_langprovider to translate responses back to EN to generate the next turn and next turn generation uses hard coded EN prompts to an LLM
aishwaryap
force-pushed
the
feature/iterative_probe_fitd
branch
from
d7f0f88 to
03c6ff7
Compare
leondz
added
probes
| class IterativeProbe(Probe): | ||
| """ | ||
| Base class for multi turn probes where each probe turn is generated based on the target's response to the previous turn. | ||
| """ |
There was a problem hiding this comment.
This was different from what I expected in an iterative probe. That's of course fine and even desirable - but it would be good if these docs described the use cases anticipated by this abstract class. What does it add? Seems to be a lot more than just "multi turn" - and there are some assumptions about what multi-turn looks like, too, I guess
There was a problem hiding this comment.
Updated docstring. Open to further iteration
There was a problem hiding this comment.
Do we want to store these? Is it better to pull them from HF?
There was a problem hiding this comment.
I'm fine making that change if we think it's a good idea. I thought when it's loaded from a data file it's easier to override via config but I guess I could add an extra config param that decides whether to download this from HF or load from file.
One more point to note is that these prompts are shared on the HarmBench github repo openly with MIT License but on HF you need to request access to use and pass in a token.
| Additional design considerations: | ||
| 1. Not all multiturn probes need this base class. A probe could directly construct a multiturn input where it only cares about how the target responds to the last turn (eg: prefill attacks) can just subclass Probe. | ||
| 2. Probes that inherit from IterativeProbe are allowed to manipulate the history in addition to generating new turns based on a target's response. For example if the response to the initial turn was a refusal, the probe can in the next attempt either pass in that history of old init turn + refusal + next turn or just pass a new init turn. | ||
| 3. An Attempt is created at every turn when the history is passed to the target. All these Attempts are collected and passed to the detector. The probe can use Attempt.notes to tell the detector to skip certain attempts but a special detector needs to be written that will pay attention to this value. | ||
| 4. If num_generations > 1 , for every attempt at every turn, we obtain num_generations responses from the target, reduce to the unique ones and generate next turns based on each of them. This means that as the turn number increases, the number of attempts has the potential to grow exponentially. Currently, when we have processed (# init turns * self.soft_prompt_probe_cap) attempts, the probe will exit. | ||
| 5. Currently the expansion of attempts happens in a BFS fashion. |
There was a problem hiding this comment.
I love that this is here, particularly points 1 and 3.
I might omit the word "currently" from point 5 but that is the nittiest of nits.
There was a problem hiding this comment.
It says "currently" because we plan to support other traversals in future just not in this PR.
|
|
||
| def _create_attempt(self, prompt) -> garak.attempt.Attempt: | ||
| """Create an attempt from a prompt. Prompt can be of type str if this is an initial turn or garak.attempt.Conversation if this is a subsequent turn. | ||
| Note: Is it possible for _mint_attempt in class Probe to have this functionality? The goal here is to abstract out translation and buffs from how turns are processed. |
There was a problem hiding this comment.
Agree with this note kind of -- since we're ultimately converting whatever it is into a Conversation, we should have a common utility for this. At one point, I tried to implement something in Conversation but we didn't do it. I forget why but I bet @jmartin-tech remembers.
Either way, should probably be a separate PR.
| localized_prompt, lang=self.langprovider.target_lang | ||
| ) | ||
| else: | ||
| # what types should this expect? Message, Conversation? |
There was a problem hiding this comment.
IIRC, it should only ever actually get a Conversation.
There was a problem hiding this comment.
🤣 this is actually a copy of a comment form the the parent class.
Currently text to text probes provide str that is translated and wrapped, multi-modal probes with image and audio data provide Message objects, and this new multi-turn will now have cases that may supply Conversation objects. I would defer any adjustment of this behavior for a future revision as there is already pending work to better define typing expectations around prompts.
There was a problem hiding this comment.
I think the way things work now this actually gets a string for most of the existing single turn probes and only FITD is actually causing a Conversation to go in here. Changing the rest is likely out of scope of this PR.
| logging.debug( | ||
| "fitd.FITDProbe # _get_level_queries: Target turn = %s, Init turn = %s, Level queries = %s" | ||
| % (target_turn, init_turn, level_queries) |
There was a problem hiding this comment.
How much logging does this produce? Feels like it could write a nightmarish amount of data to the log file.
There was a problem hiding this comment.
This particular log request happens only once per init turn so it depends on how many init turns you want to run (max 200 if using HarmBench).
In total a run I just did with 5 init turns and max 5 turns per conv produces a log of 2061 lines, of which only 166 are from FITD. That does not feel like a terrible ratio. I'll vary those params and get a couple of more numbers just to give a sense of how the logging from FITD grows with either of those params.
Majority of the log is all the HTTP requests to and from the various nim generators. Technically some of these are also due to FITD because of the sheer number of LLM calls involved but changing that would actually need to be a change in the generator I think.
There was a problem hiding this comment.
When max_calls_per_conv = 10, the log has 3322 lines of which 303 are from FITD (again not counting logs by nim generators).
garak/probes/fitd.py
Outdated
| % data_path | ||
| ) | ||
|
|
||
| prompts_file = data_path / "fitd" / "harmbench_prompts.txt" |
There was a problem hiding this comment.
It may be useful to have this be a class-level parameter so in the future it could be more easily customized?
There was a problem hiding this comment.
I do like the idea of this being configurable, I would suggest this is case where the provided value must either be an absolute path or relative path that is inside the data_path sandbox location.
For the short term I think we can move this forward with the hard coded path and expand flexibility in the future.
garak/probes/fitd.py
Outdated
| if verify_response.lower().strip().startswith("unsafe"): | ||
| cur_conv_last_response_success = True | ||
| else: | ||
| cur_conv_last_response_success = False |
There was a problem hiding this comment.
Yeah, I think this is particularly closely tied to harmbench and we can probably do a bit better. The whole validation here should probably depend on some other type of logic, IMO.
| ) | ||
| return is_last_response_success | ||
|
|
||
| def _is_response_aligned(self, request: str, response: str) -> bool: |
There was a problem hiding this comment.
Seems like this functionality, and possibly the prior, are already in extant parts of garak.resources.red_team.evaluation?
There was a problem hiding this comment.
Perhaps I'm missing something but it looks like the prompts used for stuff like this in garak.resources.red_team.evaluation are hardcoded to some level and I'm not sure they generalize all that well.
They also don't look like they are doing exactly the same thing as what I'm doing here, just something related.
I think the way I've set up the prompt templates for FITD as of now they are loaded from the data files but can be overridden via config and I feel that is preferable.
| localized_prompt, lang=self.langprovider.target_lang | ||
| ) | ||
| else: | ||
| # what types should this expect? Message, Conversation? |
There was a problem hiding this comment.
🤣 this is actually a copy of a comment form the the parent class.
Currently text to text probes provide str that is translated and wrapped, multi-modal probes with image and audio data provide Message objects, and this new multi-turn will now have cases that may supply Conversation objects. I would defer any adjustment of this behavior for a future revision as there is already pending work to better define typing expectations around prompts.
| tier = garak.probes.Tier.INFORMATIONAL | ||
| active = False # Note: This probe is currently not active because of the potential for the number of attempts to grow exponentially and have to be terminated early unless the user sets generations = 1 | ||
|
|
||
| DEFAULT_PARAMS = garak.probes.IterativeProbe.DEFAULT_PARAMS | { |
There was a problem hiding this comment.
generations is inherited from the parent base.Probe class as distributed by _run_params, the initial view being this is the desired behavior to ensure diversity of responses from the target to better explore possible response diversity of the target.
| self.red_team_model = None | ||
| self.detector = None |
There was a problem hiding this comment.
These are not required and also not detrimental at this time.
garak/probes/fitd.py
Outdated
| % data_path | ||
| ) | ||
|
|
||
| prompts_file = data_path / "fitd" / "harmbench_prompts.txt" |
There was a problem hiding this comment.
I do like the idea of this being configurable, I would suggest this is case where the provided value must either be an absolute path or relative path that is inside the data_path sandbox location.
For the short term I think we can move this forward with the hard coded path and expand flexibility in the future.
…on in IterativeProbe.probe
…calls. Will be added in a later PR
…at raise GarakException
4 participants
This PR implements the Foot-in-the-door (FITD) probe reference. This probe generates queries of increasing intensity from safe to adversarial, getting compliance from the model at each intermediate stage to obtain attack success with the adversarial prompt. Queries at each level of intensity are adjusted as needed based on target responses.
Verification
List the steps needed to make sure this thing works
Also tested with
generations: 5andparallel_attempts: 5An earlier commit was tested with a config for Spanish but multilingual support has been temporarily disabled within the scope of this PR as it was resulting in too many langprovider calls. This will be added back in a future PR.
NIM_API_KEY=<your-key> garak --config trial.confpython -m pytest tests/