Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Silent Guardian: Protecting Text from Malicious Exploitation by Large Language Models

Jiawei Zhao, Kejiang Chen, Xiaojian Yuan, Yuang Qi, Weiming Zhang, Nenghai Yu

TL;DR

Silent Guardian (SG) is introduced, a text protection mechanism against LLMs, which allows LLMs to refuse to generate responses when receiving protected text, preventing the malicious use of text from the source.

Abstract

The rapid development of large language models (LLMs) has yielded impressive success in various downstream tasks. However, the vast potential and remarkable capabilities of LLMs also raise new security and privacy concerns if they are exploited for nefarious purposes due to their open-endedness. For example, LLMs may be used to plagiarize or imitate writing, thereby infringing the copyright of the original content, or to create indiscriminate fake information based on a certain source text. In some cases, LLMs can even analyze text from the Internet to infer personal privacy. Unfortunately, previous text protection research could not foresee the emergence of powerful LLMs, rendering it no longer effective in this new context. To bridge this gap, we introduce Silent Guardian (SG), a text protection mechanism against LLMs, which allows LLMs to refuse to generate response when receiving protected text, preventing the malicious use of text from the source. Specifically, we first propose the concept of Truncation Protection Examples (TPE). By carefully modifying the text to be protected, TPE can induce LLMs to first sample the end token, thus directly terminating the interaction. In addition, to efficiently construct TPE in the discrete space of text data, we propose a novel optimization algorithm called Super Tailored Protection (STP), which is not only highly efficient but also maintains the semantic consistency of the text during the optimization process. The comprehensive experimental evaluation demonstrates that SG can effectively protect the target text under various configurations and achieve almost 100% protection success rate in some cases. Notably, SG also exhibits relatively good transferability and robustness, making its application in practical scenarios possible. Our code is available at https://github.com/weiyezhimeng/Silent-Guardian.

Silent Guardian: Protecting Text from Malicious Exploitation by Large Language Models

TL;DR

Silent Guardian (SG) is introduced, a text protection mechanism against LLMs, which allows LLMs to refuse to generate responses when receiving protected text, preventing the malicious use of text from the source.

Abstract

The rapid development of large language models (LLMs) has yielded impressive success in various downstream tasks. However, the vast potential and remarkable capabilities of LLMs also raise new security and privacy concerns if they are exploited for nefarious purposes due to their open-endedness. For example, LLMs may be used to plagiarize or imitate writing, thereby infringing the copyright of the original content, or to create indiscriminate fake information based on a certain source text. In some cases, LLMs can even analyze text from the Internet to infer personal privacy. Unfortunately, previous text protection research could not foresee the emergence of powerful LLMs, rendering it no longer effective in this new context. To bridge this gap, we introduce Silent Guardian (SG), a text protection mechanism against LLMs, which allows LLMs to refuse to generate response when receiving protected text, preventing the malicious use of text from the source. Specifically, we first propose the concept of Truncation Protection Examples (TPE). By carefully modifying the text to be protected, TPE can induce LLMs to first sample the end token, thus directly terminating the interaction. In addition, to efficiently construct TPE in the discrete space of text data, we propose a novel optimization algorithm called Super Tailored Protection (STP), which is not only highly efficient but also maintains the semantic consistency of the text during the optimization process. The comprehensive experimental evaluation demonstrates that SG can effectively protect the target text under various configurations and achieve almost 100% protection success rate in some cases. Notably, SG also exhibits relatively good transferability and robustness, making its application in practical scenarios possible. Our code is available at https://github.com/weiyezhimeng/Silent-Guardian.
Paper Structure (47 sections, 11 equations, 8 figures, 12 tables, 2 algorithms)

This paper contains 47 sections, 11 equations, 8 figures, 12 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work and Preliminary
  3. Traditional Text Protection
  4. Adversarial Examples
  5. Definition
  6. Textual Adversarial Examples
  7. Adversarial Examples for Protection
  8. Adversarial Prompt against LLMs
  9. Notations
  10. Threat Model
  11. Silent Guardian
  12. Truncation Protection Example
  13. Super Tailored Protection
  14. Representation of the prompt using one-hot vectors
  15. Defining loss function
  16. ...and 32 more sections

Figures (8)

  • Figure 1: Scenario of Silent Guardian. The adversary, upon acquiring the target text, articulates their requirements by adding a prompt to the original text, thereby leading the model to produce harmful results. In the Silent Guardian mechanism, STP aims to fine-tune the original text to prevent LLMs from generating any response. This kind of text is called TPE in this paper. The black arrows depict the adversary's workflow, exemplifying three types of malicious operations: plagiarism, rumor fabrication, and malicious analysis, corresponding to copyrighted works, government information, and personal privacy, respectively. The green arrows represent the protective process of SG.
  • Figure 2: An example of constructing TPE using STP on Vicuna.$<\text{/s}>$ represents the end token. After the token replacements shown in the box, this text successfully led the model to select the end token in the first sampling round. It can be observed that in the TPE constructed by STP, the model autonomously selects replacements such as letter casing changes and morphologically similar symbols ('?' to '?'). "[Prefix]" and "[Suffix]" represent additional requests that malicious users might add.
  • Figure 3: The overview of Super Tailored Protection. (1) Calculate gradient for one-hot vectors: Convert the text to be protected into a one-hot vector representation. Input this into the LLM and utilize the probability distribution of the predicted N+1th token and the end token's probability distribution to compute the loss function. Calculate the gradient and propagate it backward. (2) Find the best replacement: Initially, generate a semantically similar candidate set for each token in the text to be protected using neighboring tokens from the embedding layer. Then, take the results from step 1 to construct the final replacement candidate set from the semantically similar candidate set. Lastly, randomly select and identify the best replacement as the starting text for the next iteration.
  • Figure 4: The convergence results of Loss and PSR for PEZ, GBDA, and STP methods. It can be observed that our proposed approach shows faster convergence of loss and higher efficiency when it comes to constructing TPE. It is worth noting that the initial value for optimization in all three methods was set as the original prompt, and the initial steep increase in loss for GBDA is attributed to its deviation from the initial prompt in the first round, mainly due to the introduction of Gumbel-Softmax.
  • Figure 5: Constructing TPE over 30 rounds on text of 120 tokens in the Novel dataset.
  • ...and 3 more figures