Was it Slander? Towards Exact Inversion of Generative Language Models
Adrians Skapars, Edoardo Manino, Youcheng Sun, Lucas C. Cordeiro
TL;DR
Was it Slander? Towards Exact Inversion of Generative Language Models analyzes defenses against slander attacks on LLMs by attempting to reconstruct the secret input from a reported harmful output. It formalizes exact inversion and a weaker notion, weak inversion, and evaluates search-based adversarial-input methods—text-based genetic algorithms and embedding-based particle swarm optimization—with progressive search to reduce computation. Empirically, exact inversion is rarely achievable, while weak inversion yields limited gains and is not a reliable surrogate for exact inversion. The work highlights the vulnerability of LLMs to input-recovery attacks and motivates the development of more informative surrogate objectives for robust, scalable defenses.
Abstract
Training large language models (LLMs) requires a substantial investment of time and money. To get a good return on investment, the developers spend considerable effort ensuring that the model never produces harmful and offensive outputs. However, bad-faith actors may still try to slander the reputation of an LLM by publicly reporting a forged output. In this paper, we show that defending against such slander attacks requires reconstructing the input of the forged output or proving that it does not exist. To do so, we propose and evaluate a search based approach for targeted adversarial attacks for LLMs. Our experiments show that we are rarely able to reconstruct the exact input of an arbitrary output, thus demonstrating that LLMs are still vulnerable to slander attacks.