Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Self-Evaluation as a Defense Against Adversarial Attacks on LLMs

Hannah Brown, Leon Lin, Kenji Kawaguchi, Michael Shieh

TL;DR

The paper tackles adversarial attacks against LLM alignment by proposing a self-evaluation defense that leverages pre-trained evaluators to classify inputs and outputs as safe or unsafe without any model fine-tuning. It analyzes three deployment configurations (input-only, output-only, and input-output) and demonstrates substantial reductions in attack success rate (ASR) across open and closed-source models, often surpassing Llama-Guard2 and commercial moderation APIs. The authors investigate attacker strategies targeting the evaluator, showing that while adversarial suffixes can partly bypass the system, the self-evaluation approach remains more robust than undefended generators and maintains utility on safe inputs. The work emphasizes practical deployment, open-source evaluators, and a thorough comparison to existing defenses, offering a cost-effective, adaptable solution for improving LLM safety and robustness under adversarial pressure.

Abstract

We introduce a defense against adversarial attacks on LLMs utilizing self-evaluation. Our method requires no model fine-tuning, instead using pre-trained models to evaluate the inputs and outputs of a generator model, significantly reducing the cost of implementation in comparison to other, finetuning-based methods. Our method can significantly reduce the attack success rate of attacks on both open and closed-source LLMs, beyond the reductions demonstrated by Llama-Guard2 and commonly used content moderation APIs. We present an analysis of the effectiveness of our method, including attempts to attack the evaluator in various settings, demonstrating that it is also more resilient to attacks than existing methods. Code and data will be made available at https://github.com/Linlt-leon/self-eval.

Self-Evaluation as a Defense Against Adversarial Attacks on LLMs

TL;DR

The paper tackles adversarial attacks against LLM alignment by proposing a self-evaluation defense that leverages pre-trained evaluators to classify inputs and outputs as safe or unsafe without any model fine-tuning. It analyzes three deployment configurations (input-only, output-only, and input-output) and demonstrates substantial reductions in attack success rate (ASR) across open and closed-source models, often surpassing Llama-Guard2 and commercial moderation APIs. The authors investigate attacker strategies targeting the evaluator, showing that while adversarial suffixes can partly bypass the system, the self-evaluation approach remains more robust than undefended generators and maintains utility on safe inputs. The work emphasizes practical deployment, open-source evaluators, and a thorough comparison to existing defenses, offering a cost-effective, adaptable solution for improving LLM safety and robustness under adversarial pressure.

Abstract

We introduce a defense against adversarial attacks on LLMs utilizing self-evaluation. Our method requires no model fine-tuning, instead using pre-trained models to evaluate the inputs and outputs of a generator model, significantly reducing the cost of implementation in comparison to other, finetuning-based methods. Our method can significantly reduce the attack success rate of attacks on both open and closed-source LLMs, beyond the reductions demonstrated by Llama-Guard2 and commonly used content moderation APIs. We present an analysis of the effectiveness of our method, including attempts to attack the evaluator in various settings, demonstrating that it is also more resilient to attacks than existing methods. Code and data will be made available at https://github.com/Linlt-leon/self-eval.
Paper Structure (41 sections, 9 figures, 13 tables)

This paper contains 41 sections, 9 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Threat Model
  3. Attack
  4. Evaluation
  5. Data
  6. Baseline Defenses
  7. Self-Evaluation as Defense
  8. Input-Only Defense
  9. Output-Only Defense
  10. Input-Output Defense
  11. Evaluation
  12. Results
  13. Over-Refusal
  14. Attacking the Evaluator
  15. Attack Formulation
  16. ...and 26 more sections

Figures (9)

  • Figure 1: Overview of our defense. Model inputs and/or outputs are classified as safe or unsafe by an evaluator LLM, allowing the detection of unsafe inputs and outputs, including those induced through adversarial attacks.
  • Figure 2: Overview of input-only defense. User input is evaluated by $E$ before being passed to $G$ if judged safe.
  • Figure 3: Overview of output-only defense. $G$ generates a response, which $E$ evaluates as safe or unsafe.
  • Figure 4: Overview of input-output defense. $G$ generates an output first, which is concatenated with user input, and $E$ evaluates the concatenation.
  • Figure 5: ASRs for each evaluator-generator pair in each setting. Undefended represents the ASR against only the generator. Other ASRs represent the ASR of the combined generator and evaluator. Smaller numbers are better.
  • ...and 4 more figures