


The latest research results of the Peking University team show that:
random token can induce hallucination in large models!
For example, if the large model (Vicuna-7B) is given a "garbled code", it will inexplicably misunderstand historical common sense
Even with some simple modification tips, large models may fall into traps
These popular large models, such as Baichuan2-7B, InternLM-7B, ChatGLM, Ziya-LLaMA -7B, LLaMA-7B-chat and Vicuna-7B will all encounter similar situations
This means that random strings can control large models to output arbitrary content, "endorsing illusions" ".
The above findings come from the latest research by the research group of Professor Yuan Li of Peking University.
This study proposes:
The hallucination phenomenon of large models is very likely to be another perspective of adversarial examples.
The paper not only shows two methods that can easily induce large model hallucinations, but also proposes simple and effective defense methods. The code has been open source.
Two extreme mode attack large models
The study proposed two hallucination attack methods:
- Random noise attack (OoD attack) is a common machine Learn model attack methods. In this attack, the attacker feeds the model some random noise that is not common in the training data. This noise can interfere with the model’s ability to make judgments, causing it to make erroneous predictions when processing data from the real world. Random noise attack is a covert attack method because it uses similar characteristics to normal data and is difficult to be detected by the model. In order to resist this attack, some effective anomaly detection methods need to be used to identify and filter out these random noises, that is, to allow meaningless random strings to induce large models to produce predefined phantom outputs.
- Weak Semantic Attack refers to a common attack method on the Internet. This attack method is typically carried out by persuading users to unknowingly provide personal information or perform malicious actions. Compared with other more direct attack methods, weak semantic attacks are more subtle and often use social engineering and deception to mislead users. Internet users should be vigilant to avoid being affected by weak semantic attacks, which cause large models to produce completely different illusory output while keeping the original prompt semantics basically unchanged.
Random Noise Attack (OoD Attack):
The following are some experimental results conducted on open source large models. More results can be found in the paper or Found in open source GitHub
Weak Semantic Attack(Weak Semantic Attack):
paper The hallucination attack method is introduced:
According to the diagram, the hallucination attack consists of the following three parts: the construction of the hallucination data set, weak semantic attack and OoD attack
The first is hallucination data set construction.
The author collected some common questions x and input them into a large model, and got the correct answer y
Then he replaced the subject, predicate and object of the sentence to construct a non-existent fact, where T is the set containing all consistent facts.
Finally, the result of constructing the hallucination data set can be obtained:
Then the weak semantic attack part.
First sample a QA pair that does not conform to the facts, and start the illusion of stability in the future
. The author hopes to find an adversarial prompt
to maximize the log likelihood.
where is the parameter of the large model and
is the input space.
is composed of l tokens.
However, since the language is discontinuous, there is no way to directly optimize x like adversarial attacks in the image field.
Inspired by a 2019 study (Universal Adversarial Triggers for Attacking and Analyzing NLP), the research team used a gradient-based token replacement strategy to indirectly maximize the log likelihood.
Among them, is the embedding against token
, and
is a semantic extractor.
Let’s look at this formula simply. Under semantic constraints, find those tokens that make the likelihood gradient change the most and replace them. Finally, we can ensure that the obtained adversarial prompt is semantically consistent with the original prompt x. In too many cases, the model is induced to output predefined hallucinations
.
In this article, in order to simplify the optimization process, the constraint item is changed to instead.
The last part is the OoD attack
In the OoD attack, we start from a completely random string, without any semantic constraints, to maximize the above log likelihood, that is Can.
The paper also elaborates on the attack success rate of hallucination attacks on different models and different modes.
The length of the prompt is increased to improve the attack success rate. An in-depth discussion (doubled)
The research team finally proposed a simple defense strategy, which is to reject the response by exploiting the entropy predicted by the first token
This research comes from the team of Professor Yuan Li from Peking University Shenzhen Graduate School/School of Information Engineering.
Paper link: https://arxiv.org/pdf/2310.01469.pdf
##GitHub address: https:// github.com/PKU-YuanGroup/Hallucination-Attack
Zhihu original post
The content that needs to be rewritten is: https://zhuanlan.zhihu.com/p/661444210?
The above is the detailed content of Peking University team: All it takes to induce the 'hallucination' of a large model is a string of garbled characters! All big and small alpacas are recruited. For more information, please follow other related articles on the PHP Chinese website!

1 前言在发布DALL·E的15个月后,OpenAI在今年春天带了续作DALL·E 2,以其更加惊艳的效果和丰富的可玩性迅速占领了各大AI社区的头条。近年来,随着生成对抗网络(GAN)、变分自编码器(VAE)、扩散模型(Diffusion models)的出现,深度学习已向世人展现其强大的图像生成能力;加上GPT-3、BERT等NLP模型的成功,人类正逐步打破文本和图像的信息界限。在DALL·E 2中,只需输入简单的文本(prompt),它就可以生成多张1024*1024的高清图像。这些图像甚至

Wav2vec 2.0 [1],HuBERT [2] 和 WavLM [3] 等语音预训练模型,通过在多达上万小时的无标注语音数据(如 Libri-light )上的自监督学习,显著提升了自动语音识别(Automatic Speech Recognition, ASR),语音合成(Text-to-speech, TTS)和语音转换(Voice Conversation,VC)等语音下游任务的性能。然而这些模型都没有公开的中文版本,不便于应用在中文语音研究场景。 WenetSpeech [4] 是

“Making large models smaller”这是很多语言模型研究人员的学术追求,针对大模型昂贵的环境和训练成本,陈丹琦在智源大会青源学术年会上做了题为“Making large models smaller”的特邀报告。报告中重点提及了基于记忆增强的TRIME算法和基于粗细粒度联合剪枝和逐层蒸馏的CofiPruning算法。前者能够在不改变模型结构的基础上兼顾语言模型困惑度和检索速度方面的优势;而后者可以在保证下游任务准确度的同时实现更快的处理速度,具有更小的模型结构。陈丹琦 普

由于复杂的注意力机制和模型设计,大多数现有的视觉 Transformer(ViT)在现实的工业部署场景中不能像卷积神经网络(CNN)那样高效地执行。这就带来了一个问题:视觉神经网络能否像 CNN 一样快速推断并像 ViT 一样强大?近期一些工作试图设计 CNN-Transformer 混合架构来解决这个问题,但这些工作的整体性能远不能令人满意。基于此,来自字节跳动的研究者提出了一种能在现实工业场景中有效部署的下一代视觉 Transformer——Next-ViT。从延迟 / 准确性权衡的角度看,

3月27号,Stability AI的创始人兼首席执行官Emad Mostaque在一条推文中宣布,Stable Diffusion XL 现已可用于公开测试。以下是一些事项:“XL”不是这个新的AI模型的官方名称。一旦发布稳定性AI公司的官方公告,名称将会更改。与先前版本相比,图像质量有所提高与先前版本相比,图像生成速度大大加快。示例图像让我们看看新旧AI模型在结果上的差异。Prompt: Luxury sports car with aerodynamic curves, shot in a

译者 | 李睿审校 | 孙淑娟近年来, Transformer 机器学习模型已经成为深度学习和深度神经网络技术进步的主要亮点之一。它主要用于自然语言处理中的高级应用。谷歌正在使用它来增强其搜索引擎结果。OpenAI 使用 Transformer 创建了著名的 GPT-2和 GPT-3模型。自从2017年首次亮相以来,Transformer 架构不断发展并扩展到多种不同的变体,从语言任务扩展到其他领域。它们已被用于时间序列预测。它们是 DeepMind 的蛋白质结构预测模型 AlphaFold

人工智能就是一个「拼财力」的行业,如果没有高性能计算设备,别说开发基础模型,就连微调模型都做不到。但如果只靠拼硬件,单靠当前计算性能的发展速度,迟早有一天无法满足日益膨胀的需求,所以还需要配套的软件来协调统筹计算能力,这时候就需要用到「智能计算」技术。最近,来自之江实验室、中国工程院、国防科技大学、浙江大学等多达十二个国内外研究机构共同发表了一篇论文,首次对智能计算领域进行了全面的调研,涵盖了理论基础、智能与计算的技术融合、重要应用、挑战和未来前景。论文链接:https://spj.scien

说起2010年南非世界杯的最大网红,一定非「章鱼保罗」莫属!这只位于德国海洋生物中心的神奇章鱼,不仅成功预测了德国队全部七场比赛的结果,还顺利地选出了最终的总冠军西班牙队。不幸的是,保罗已经永远地离开了我们,但它的「遗产」却在人们预测足球比赛结果的尝试中持续存在。在艾伦图灵研究所(The Alan Turing Institute),随着2022年卡塔尔世界杯的持续进行,三位研究员Nick Barlow、Jack Roberts和Ryan Chan决定用一种AI算法预测今年的冠军归属。预测模型图


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

SublimeText3 Chinese version
Chinese version, very easy to use

WebStorm Mac version
Useful JavaScript development tools

Zend Studio 13.0.1
Powerful PHP integrated development environment

SublimeText3 Linux new version
SublimeText3 Linux latest version

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
