Large language models are now tuned to align with the goals of their creators, namely to be "helpful and harmless." These models should respond helpfully to user questions, but refuse to answer requests that could cause harm. However, adversarial users can construct inputs which circumvent attempts at alignment. In this work, we study adversarial alignment, and ask to what extent these models remain aligned when interacting with an adversarial user who constructs worst-case inputs (adversarial examples). These inputs are designed to cause the model to emit harmful content that would otherwise be prohibited. We show that existing NLP-based optimization attacks are insufficiently powerful to reliably attack aligned text models: even when current NLP-based attacks fail, we can find adversarial inputs with brute force. As a result, the failure of current attacks should not be seen as proof that aligned text models remain aligned under adversarial inputs. However the recent trend in large-scale ML models is multimodal models that allow users to provide images that influence the text that is generated. We show these models can be easily attacked, i.e., induced to perform arbitrary un-aligned behavior through adversarial perturbation of the input image. We conjecture that improved NLP attacks may demonstrate this same level of adversarial control over text-only models.

翻译：大型语言模型现已被调整以符合其创造者的目标，即“有益且无害”。这类模型应有益地回应用户问题，但拒绝回答可能造成伤害的请求。然而，对抗性用户能够构建绕过对齐尝试的输入。本研究探讨了对抗性对齐，并探究这些模型在与构建最坏情况输入（对抗性示例）的对抗性用户交互时，在多大程度上仍能保持对齐。这些输入旨在使模型输出本应被禁止的有害内容。我们证明，现有的基于自然语言处理的优化攻击不足以可靠地攻击对齐的文本模型：即使当前基于自然语言处理的攻击失败，我们仍可通过暴力搜索找到对抗性输入。因此，当前攻击的失败不应被视为对齐的文本模型在对抗性输入下仍能保持对齐的证据。然而，大规模机器学习模型的最新趋势是多模态模型，允许用户提供影响生成文本的图像。我们证明，这些模型极易受到攻击，即通过输入图像的对抗性扰动，诱导其表现出任意非对齐行为。我们推测，改进的自然语言处理攻击可能对纯文本模型展现出相同程度的对抗性控制能力。