ICLGuard: Controlling In-Context Learning Behavior for Applicability Authorization
Wai Man Si, Michael Backes, Yang Zhang
TL;DR
This work tackles the risk that in-context learning (ICL) enables tasks on data that a model owner may wish to restrict. It introduces ICLGuard, a parameter-efficient fine-tuning framework that uses three losses to deactivate ICL on target data ($\mathcal{L}_{D}$), preserve ICL on non-target data ($\mathcal{L}_{M}$), and maintain regular LM performance via representation alignment ($\mathcal{L}_{U}$). By constructing shadow and surrogate datasets and updating a small PEFT module $\phi$ while freezing the base model $\theta$, ICLGuard achieves target-specific ICL suppression with minimal impact on other capabilities, across multiple models and datasets. The paper also analyzes surrogate-data augmentation strategies, resilience to adaptive attacks, and extends the approach to generative tasks, demonstrating practical potential for data-centric safeguarding of LLMs. Overall, ICLGuard offers a scalable, flexible mechanism for model owners to enforce applicability authorization without full re-training or loss of general functionality.
Abstract
In-context learning (ICL) is a recent advancement in the capabilities of large language models (LLMs). This feature allows users to perform a new task without updating the model. Concretely, users can address tasks during the inference time by conditioning on a few input-label pair demonstrations along with the test input. It is different than the conventional fine-tuning paradigm and offers more flexibility. However, this capability also introduces potential issues. For example, users may use the model on any data without restriction, such as performing tasks with improper or sensitive content, which might violate the model policy or conflict with the model owner's interests. As a model owner, it is crucial to establish a mechanism to control the model's behavior under ICL, depending on the model owner's requirements for various content. To this end, we introduce the concept of "applicability authorization" tailored for LLMs, particularly for ICL behavior, and propose a simple approach, ICLGuard. It is a fine-tuning framework designed to allow the model owner to regulate ICL behavior on different data. ICLGuard preserves the original LLM and fine-tunes only a minimal set of additional trainable parameters to "guard" the LLM. Empirical results show that the guarded LLM can deactivate its ICL ability on target data without affecting its ICL ability on other data and its general functionality across all data.