Immunization against harmful fine-tuning attacks
Domenic Rosati, Jan Wehner, Kai Williams, Łukasz Bartoszcze, Jan Batzner, Hassan Sajjad, Frank Rudzicz
TL;DR
The paper formalizes the risk of harmful fine-tuning attacks (HFTA) on safety-aligned LLMs and proposes Immunization, a framework of four conditions (Resistance, Stability, Generalization, Trainability) evaluated within a training-budget threat model. It provides concrete guidelines to rigorously assess defenses, including theoretical guarantees, dataset handling, adaptive-attack accounting, and cross-domain generalization. A demonstration illustrates how an adversarial objective can be used to immunize a model against harmful training, while acknowledging limitations like scope to supervised fine-tuning and the broader harm-definition debate. The work aims to standardize defense research in this emerging area and promote defense-in-depth for safer model deployment.
Abstract
Large Language Models (LLMs) are often trained with safety guards intended to prevent harmful text generation. However, such safety training can be removed by fine-tuning the LLM on harmful datasets. While this emerging threat (harmful fine-tuning attacks) has been characterized by previous work, there is little understanding of how we should proceed in constructing and validating defenses against these attacks especially in the case where defenders would not have control of the fine-tuning process. We introduce a formal framework based on the training budget of an attacker which we call "Immunization" conditions. Using a formal characterisation of the harmful fine-tuning problem, we provide a thorough description of what a successful defense must comprise of and establish a set of guidelines on how rigorous defense research that gives us confidence should proceed.