Future AI deployments will likely be monitored for malicious behaviour. The ability of these AIs to subvert monitors by adversarially selecting against them - attack selection - is particularly concerning. To study this, we let a red team create attack policies that attempt to insert attacks into code without being caught by a monitor in the concentrated BigCodeBench backdooring setting. We decompose attack selection into two problems: mapping attacks to a quality score and mapping quality scores to submission probabilities. We frame attack selection as a classification problem and show that safety is significantly more sensitive to FPR than TPR. We find that prompting the attacker model to reason about the monitor while being cautious with attack selection reduces safety from a baseline of 99% to 59% at 0.5% auditing budget, emphasizing that eliciting attack selection capabilities of models is vital to avoid overly optimistic safety scores in control evaluations.

翻译：未来的AI部署很可能将受到恶意行为监控。这些AI通过对抗性地选择攻击来规避监控的能力——即攻击选择——尤其令人担忧。为研究此问题，我们让红队创建攻击策略，尝试在集中式BigCodeBench后门植入场景中将攻击代码插入程序而不被监控器发现。我们将攻击选择分解为两个子问题：将攻击映射到质量评分，以及将质量评分映射为提交概率。我们将攻击选择构建为分类问题，并证明安全性对误报率（FPR）的敏感度显著高于对召回率（TPR）的敏感度。研究发现，在0.5%的审计预算下，通过提示攻击模型对监控器进行推理并谨慎选择攻击，会使安全性从基线99%降至59%。这强调在控制评估中，充分激发模型的攻击选择能力对于避免过于乐观的安全评估至关重要。