MCPcopy Index your code
hub / github.com/SchwinnL/LLM_Embedding_Attack

github.com/SchwinnL/LLM_Embedding_Attack @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
39 symbols 114 edges 3 files 3 documented · 8% updated 18mo ago★ 331 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

LLM_Embedding_Attack

This is the repository of "Adversarial Attacks and Defenses in Large Language Models: Old and New Threats " by Leo Schwinn, David Dobre, Stephan Günnemann, and Gauthier Gidel which was accepted at the NeurIPS 2023 ICBINB Workshop for spotlight presentation.

See embedding_attack_toxic.py

Unlearning

This repository also contains the code of "Soft Prompt Threats: Attacking Safety Alignment and Unlearning in Open-Source LLMs through the Embedding Space" by Leo Schwinn, David Dobre, Sophie Xhonneux, Gauthier Gidel, and Stephan Günnemann.

See embedding_attack_unlearning.py and unlearning_utils.py The script can also be used for toxicity experiments with individual and universal attacks.

New Version compatible with HarmBench

A stronger version of embedding space attacks integrated into the Harmbench framework can be found here:

https://github.com/SchwinnL/circuit-breakers-eval

Disclamimer

In this work, we want to highlight the safety vulnerabilities of LLMs. As powerful LLM assistants are readily available and machine-learning robustness has been an unsolved research problem for the last decade, we believe that the best way to approach this problem is through culminating awareness.

Content

The repository contains the code to conduct embedding space attacks on LLMs. Typically, adversarial attacks in the embedding space of LLMs are not considered, as most threat models concentrate on attacks that can be transferred to closed-source models utilized through an API which usually demand natural language input. However, in the case of open-source LLMs, an attacker is not restricted to attack the model in natural language space.

A range of malicious actions can be performed without the need to use closed-source models through restricted APIs, or interact with users of LLM-integrated apps. This includes the distribution of hazardous knowledge (e.g. instructions for creating malicious software), promoting harmful biases, spreading misinformation, building ``troll'' bots to respond to real users on social media, etc.

Within embedding space attacks we exploit that once an LLM starts giving an affirmative response, it is likely to remain in that ``mode'' and continue to provide related outputs.

Experiments

The experiments in "Adversarial attacks and defenses in large language models: Old and new threats" can be reproduced by running

embedding_attack_toxic.py

Some code snippets are taken from https://github.com/llm-attacks/llm-attacks

For experiments related to "Soft Prompt Threats: Attacking Safety Alignment and Unlearning in Open-Source LLMs through the Embedding Space" see

embedding_attack_unlearning.py

Cite

If you use this repository in your research, please consider citing:

@article{schwinn2023adversarial,
  title={Adversarial attacks and defenses in large language models: Old and new threats},
  author={Schwinn, Leo and Dobre, David and G{\"u}nnemann, Stephan and Gidel, Gauthier},
  journal={arXiv preprint arXiv:2310.19737},
  year={2023}
}

@article{schwinn2024soft,
  title={Soft Prompt Threats: Attacking Safety Alignment and Unlearning in Open-Source LLMs through the Embedding Space},
  author={Schwinn, Leo and Dobre, David and Xhonneux, Sophie and Gidel, Gauthier and Gunnemann, Stephan},
  journal={arXiv preprint arXiv:2402.09063},
  year={2024}
}

Core symbols most depended-on inside this repo

log
called by 4
embedding_attack_unlearning.py
create_one_hot_and_embeddings
called by 4
unlearning_utils.py
get_embedding_matrix
called by 4
unlearning_utils.py
adjust_shape_il
called by 3
embedding_attack_unlearning.py
forward
called by 3
embedding_attack_unlearning.py
calc_loss
called by 3
embedding_attack_unlearning.py
create_one_hot_and_embeddings
called by 3
embedding_attack_toxic.py
set_il_tensor
called by 2
embedding_attack_unlearning.py

Shape

Function 21
Method 16
Class 2

Languages

Python100%

Modules by API surface

unlearning_utils.py18 symbols
embedding_attack_unlearning.py15 symbols
embedding_attack_toxic.py6 symbols

For agents

$ claude mcp add LLM_Embedding_Attack \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact