Llm

Research discovers a method to circumvent AI censorship

Unit 42 of Palo Alto Networks shows how censorship operating on current models is easily circumvented and proposes countermeasures

3' min read

3' min read

A security research group called Unit 42 at Palo Alto Networks has found a fairly easy way around the censorship of language models of Artificial Intelligence (Llm). It is enough to use long, ungrammatical sentences as prompts.

In fact, as reported by the news site It The Register, one just has to make sure that the prompt uses bad grammar and that it is one long, concatenated sentence like this one, which includes all the information before any point, in order to prevent censorship mechanisms from coming into effect so as to cause the template to provide a toxic or otherwise forbidden response that the developers hoped would be filtered out.

Loading...

Llm, the technology behind textual Artificial Intelligence models, do not do what they are usually thought to do. They have no innate understanding, they don't think or reason, and they have no way of knowing whether an answer they provide is true or, in fact, bad. They function on the basis of the statistical continuation of token flows, and everything else is additional patches prepared by the developers.

Security barriers that prevent an Llm from providing malicious responses - instructions on how to build a bomb, for example, or other content that could cause legal problems - are often implemented as 'alignment training', in which a template is trained to provide strongly negative scores to tokens that would provoke an unwanted response. However, this mechanism proves easy to circumvent, with researchers reporting an 80-100% success rate for 'one-shot' attacks with 'almost no specific prompt tuning' when used on a range of popular models, including Meta's Llama, Google's Gemma and Qwen 2.5 and 3, with sizes up to 70 billion parameters.

The key is cascading sentences without full stops. "A rule of thumb emerges," the Unit 42 team wrote in their article. "Never let the sentence end. Each time a full stop appears in the prompt, security filters are invoked again and heavily penalise any continuation that might initiate a malicious response."

"rambling">Grammarisation

The Register also questioned Billy Hewlett, Senior Director of Artificial Intelligence Research at Palo Alto Networks on the issue. On the use of ungrammatical sentences, Hewlett said: "It's not so much about the use of 'good' or 'bad' grammar as it is about exploiting the core functions of the Llm model such as the ability to compel sentences. Llm are trained to generate coherent and grammatically plausible text. When a rambling sentence or incomplete expression is used, it forces the model to continue with a thought pattern without providing it with a natural stop, such as a point. These stopping points are often where the safety alignment of the model comes into play. Thus, it is not that a poor grammar is inherently better, but that strategically incomplete sentences can address the points where security protocols are most likely to intervene'.

Possible countermeasures

.

Hewlett also explains what possible remedies developers should use to prevent the misuse of Llm models: 'Right now, the most practical system today is not to rely solely on the model for security. We advocate a 'defence in depth' approach, using external systems such as firewalls or guardrails for artificial intelligence to monitor and block problematic outputs before they reach the user. A more permanent solution, although much more difficult, would involve integrating security into the fundamental training of the model from the ground up'.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti