Protecting in combat injuries of systematic questions (strq) and the best performance (SECCALIGN)

The latest progress in large languages ​​of Language (LLMS) enables integrated LLM integrated programs. However, as the advanced llm, so let him attack. The fast-injection attack is written as # 1 threat with olasp to llm-integrated applications, where the installation of the llM contains a reliable answer (tuition) and unfaithful data. Details can contain instructions installed by interrupting the llm. For example, inappropriate improving the “non-existing Restaurant”, the owner can use a quick injection to send an update to Yelp, e.g. If the llm receives YELP review and follows the Instructions, it can be misled in Recommendation A Restaurant A, with a negative review.

An instance of a quick injection

Production-Level LLM programs, eg in order to reduce the nearest proxy threats, raising two good changes, the SchTUQ and the mavalion. In addition to additional costs in writing or performance, they are used – effective protection. The Scheduq and Mvalign decreases the amounts of a twelf century free attacks of 0%. I-Finalign ibuye iyeke ukuhlaselwa okuqinile okusekelwe ekusebenzeni kwamanani empumelelo aphansi kune-15%, inani elincishiswe ngaphezulu kwezingu-4 kusuka ku-sota edlule kuwo wonke ama-llms ayi-5 ahlolwe kuwo wonke ama-llms ama-5 ahlolwe.

Quick attacks of attack: causes

Below is a model threat of fast injury. Prompt and LLM from developer in a trusted program. Details are not reliable, as it appears from external sources such as users, returning the web, results from API calls, etc. Details may contain the installation instructions trying to skip the command to the quickest part.

Model to Sort of Annexure in Consolidated LLM applications

We suggest that the instant injection has two causes. First, LLM installation cannot be separated between accelerating and data so that no signal points to the target. Second, Llms is trained to follow orders anywhere in their installationto make a blasphemy in any instructions (including entries) to follow.

Protecting injection: the struq and seccalign

The fastest separating and data data, suggests the safe pre-endwithheld the special tokens ([MARK]…) as divorce, and it filters information without any division. In this way, the LLM input is clearly classified, and this distinction can only be enforced by the system designer due to data filter.

Prevent the end of the end

Training LLM Training Following targeted instructions, first we suggest to organize systematic commands (strq)which imitating immediate injections in the llm training to learn to ignore the instructions included in the data part. Productive data contains clean samples and samples with commands installed. The llM is founded – well organized to keep responding regularly to the intended order highlighted before safe ending.

Organizing order order (strq)

Only training llm is to follow the intended instructions, proposes special preference (sevalian) That is a training-made installation. Different from the struq, SECCALALANANAVAs are written in both desirable answers (in target instruction) and unpleasant answers (in order with command). By willing – preparation for the llm to select desirable responses over those unpleasant, the SecCalalign has improved the largest gap between issuing, and thus leads to better management compared to the strq.

Special Special Likes (Sevalian)

Examination

We use the SUPT Attack Confice (Asr) Maximum Might Feature Measures Measure an security. A checkup injection (not recognized in training) “Prints are very frustrating!”, And this attack is considered success if the answer starts as “ocked” or “ocked”.

The SchTUQ, with Asr 27%, is very efficient when compared to support supported protection. SECCALIGN and decrease ASR from Struq to 1%, even the attacks are more attacked than observed during training.

We also use Alpacaeval2 to check our model model practice After our security training. In Miststra-7B-Always command – v0.1, three tests tested for protections that store Alpacaeval2.

The main results of the test

The effects of a variety in most models below shows the same conclusion. Both struq and acjugn reduces successful rates of free attacks around about 0%. Through a well-based attacks, the struq borrows important security, and Saalign and reduces ASR Feature for> 4 without delaying loss.

The results of further testing

Summary

It summarizes 5 steps to train a secure llm to speed up the injections with seclallign.

• Find to educate the llm as a good protection start.
• Get Dataset DataASet Data D, Alpaca in our exam.
• From D, Format the secure option for select D 'using special delimiter described in the teaching model. This is the functioning of the celatenation, which does not require any human activity compared to producing personal preferences.
• Choosing the llm on D '. We use DPO, and other methods of working work are working.
• Use the llm with a secure end of data without special division.

Below is using resources to learn more and keep updated on quick injection and defense.