Comment by simonw

Comment by simonw 5 days ago

187 replies

View on Hacker News

This looks like a bit of a bombshell:

> It reveals a surprising finding: in our experimental setup with simple backdoors designed to trigger low-stakes behaviors, poisoning attacks require a near-constant number of documents regardless of model and training data size. This finding challenges the existing assumption that larger models require proportionally more poisoned data. Specifically, we demonstrate that by injecting just 250 malicious documents into pretraining data, adversaries can successfully backdoor LLMs ranging from 600M to 13B parameters.

mrinterweb 4 days ago

One training source for LLMs is opensource repos. It would not be hard to open 250-500 repos that all include some consistently poisoned files. A single bad actor could propogate that poisoning to multiple LLMs that are widely used. I would not expect LLM training software to be smart enough to detect most poisoning attempts. It seems this could be catastrophic for LLMs. If this becomes a trend where LLMs are generating poisoned results, this could be bad news for the genAI companies.

Reply View 73 replies
  • londons_explore 4 days ago

    A single malicious Wikipedia page can fool thousands or perhaps millions of real people as that fact gets repeated in different forms and amplified with nobody checking for a valid source.

    Llms are no more robust.

    Reply View 63 replies
    • Mentlo 4 days ago

      Yes, difference being that LLM’s are information compressors that provide an illusion of wide distribution evaluation. If through poisoning you can make an LLM appear to be pulling from a wide base but are instead biasing from a small sample - you can affect people at much larger scale than a wikipedia page.

      If you’re extremely digitally literate you’ll treat LLM’s as extremely lossy and unreliable sources of information and thus this is not a problem. Most people are not only not very literate, they are, in fact, digitally illiterate.

      Reply View 30 replies
      • sgt101 4 days ago

        Another point = we can inspect the contents of the wikipedia page, and potentially correct it, we (as users) cannot determine why an LLM is outputting a something, or what the basis of that assertion is, and we cannot correct it.

        Reply View 5 replies
      • BolexNOLA 4 days ago

        > Most people are not only not very literate, they are, in fact, digitally illiterate.

        Hell look at how angry people very publicly get using Grok on Twitter when it spits out results they simply don’t like.

        Reply View 0 replies
      • LgLasagnaModel 4 days ago

        Unfortunately, the Gen AI hypesters are doing a lot to make it harder for people to attain literacy in this subdomain. People who are otherwise fairly digitally literate believe fantastical things about LLMs and it’s because they’re being force fed BS by those promoting these tools and the media outlets covering them.

        Reply View 0 replies
      • phs318u 4 days ago

        s/digitally illiterate/illiterate/

        Reply View 1 reply
        • bambax 4 days ago

          Of course there are many illiterate people, but the interesting fact is that many, many literate, educated, intelligent people don't understand how tech works and don't even care, or feel they need to understand it more.

          Reply View 0 replies
      • echelon 4 days ago

        LLM reports misinformation --> Bug report --> Ablate.

        Next pretrain iteration gets sanitized.

        Reply View 19 replies
    • the_af 4 days ago

      Wikipedia for non-obscure hot topics gets a lot of eyeballs. You have probably seen a contested edit war at least once. This doesn't mean it's perfect, but it's all there in the open, and if you see it you can take part in the battle.

      This openness doesn't exist in LLMs.

      Reply View 0 replies
    • markovs_gun 4 days ago

      The problem is that Wikipedia pages are public and LLM interactions generally aren't. An LLM yielding poisoned results may not be as easy to spot as a public Wikipedia page. Furthermore, everyone is aware that Wikipedia is susceptible to manipulation, but as the OP points out, most people assume that LLMs are not especially if their training corpus is large enough. Not knowing that intentional poisoning is not only possible but relatively easy, combined with poisoned results being harder to find in the first place makes it a lot less likely that poisoned results are noticed and responded to in a timely manner. Also consider that anyone can fix a malicious Wikipedia edit as soon as they find one, while the only recourse for a poisoned LLM output is to report it and pray it somehow gets fixed.

      Reply View 9 replies
      • rahimnathwani 4 days ago

          Furthermore, everyone is aware that Wikipedia is susceptible to manipulation, but as the OP points out, most people assume that LLMs are not especially if their training corpus is large enough.
        I'm not sure this is true. The opposite may be true.

        Many people assume that LLMs are programmed by engineers (biased humans working at companies with vested interests) and that Wikipedia mods are saints.

        Reply View 8 replies
    • blensor 4 days ago

      Isn't the difference here that to poison wikipedia you have to do it quite agressively vy directly altering the article which can easily be challenged whereas the training data poisoning can be done much more subversivly

      Reply View 0 replies
    • NewJazz 4 days ago

      Good thing wiki articles are publicly reviewed and discussed.

      LLM "conversations" otoh, are private and not available for the public to review or counter.

      Reply View 0 replies
    • hyperadvanced 4 days ago

      Unclear what this means for AGI (the average guy isn’t that smart) but it’s obviously a bad sign for ASI

      Reply View 3 replies
      • bigfishrunning 4 days ago

        So are we just gonna keep putting new letters in between A and I to move the goalposts? When are we going to give up the fantasy that LLMs are "intelligent" at all?

        Reply View 2 replies
    • lazide 4 days ago

      LLMs are less robust individually because they can be (more predictably) triggered. Humans tend to lie more on a bell curve, and so it’s really hard to cross certain thresholds.

      Reply View 7 replies
      • timschmidt 4 days ago

        Classical conditioning experiments seem to show that humans (and other animals) are fairly easily triggered as well. Humans have a tendency to think themselves unique when we are not.

        Reply View 6 replies
    • hshdhdhehd 4 days ago

      But is poisoning just fooling. Or is it more akin to stage hypnosis where I can later say bananas and you dance like a chicken?

      Reply View 2 replies
      • sethherr 4 days ago

        My understanding is it’s more akin to stage hypnosis, where you say bananas and they tell you all their passwords

        … the articles example of a potential exploit is exfiltration of data.

        Reply View 1 reply
    • [removed] 4 days ago
      [deleted]
      Reply View 0 replies
    • hitarpetar 4 days ago

      I see this argument by analogy to human behavior everywhere, and it strikes me as circular reasoning. we do not know enough about either the human mind or LLMs to make comparisons like this

      Reply View 0 replies
    • dgfitz 4 days ago

      A single malicious scientific study can fool thousands or perhaps millions of real people as that fact gets repeated in different forms and amplified with nobody checking for a valid source. Llms are no more robust.

      Reply View 0 replies
    • bboygravity 4 days ago

      A single malicious infotainment outlet can fool thousands or perhaps millions of real people as that fact gets repeated in different forms and amplified with nobody checking for a valid source.

      Llms are no more robust.

      Reply View 0 replies
  • bigbuppo 4 days ago

    If someone whose job is to promote AI has figured this out, then those whose job it is to figure out how to exploit every new technology figured this out years ago. It was game over before the game even started. The party is over.

    Reply View 4 replies
    • withinboredom 4 days ago

      Yeah. This was known at least since some of the first days of chatgpt. Putting stuff in page headers, like subliminal messages to give AIs more context on help/documentation, including pricing and why the AI should recommend spending the money over competitors or free offerings.

      Reply View 1 reply
      • bigbuppo 3 days ago

        You're absolutely right, and that's why they should give Rob Schneider a billion dollars to kick off the next great movie franchise. Everyone loves Rob Schneider.

        Reply View 0 replies
    • [removed] 4 days ago
      [deleted]
      Reply View 0 replies
    • [removed] 4 days ago
      [deleted]
      Reply View 0 replies
  • mattgreenrocks 4 days ago

    It would be an absolutely terrible thing. Nobody do this!

    Reply View 3 replies
    • nativeit 4 days ago

      How do we know it hasn’t already happened?

      Reply View 1 reply
      • Muromec 4 days ago

        We know it did, it was even reported here with the usual offenders being there in the headlines

        Reply View 0 replies
    • mrinterweb 4 days ago

      I can't tell if you're being sarcastic. Read either way, it works :)

      Reply View 0 replies
gota 4 days ago

I think this paragraph needs to be considered at top priority, though:

"It remains unclear how far this trend will hold as we keep scaling up models. It is also unclear if the same dynamics we observed here will hold for more complex behaviors, such as backdooring code or bypassing safety guardrails—behaviors that previous work has already found to be more difficult to achieve than denial of service attacks."

So:

a) It's 'fixed' in ~250~500 for these sizes, may grow for even larger sizes. Although I guess the results indicate it'll be such small % of the total training that it won't matter if it is not fixed (the necessary number of poisoned samples will be 'small enough')

Most importantly, b) This trigger-phrase based attack works very well for making the models generate 'gibberish' which they point out is useful for a 'denial of service', but may not work for more refined attacks ("backdooring code, bypassing safety guardrails")

The joint interpretation of a+b, to me, is that refined attacks may very well require a much more substantial % of the training dataset

Also, as pointed below (https://news.ycombinator.com/item?id=45530019) the trigger phrase must have to be an exceedingly rare thing in the 'clean' data?

Reply View 21 replies
  • whatevertrevor 4 days ago

    As a user I'm worried about a + b sure. As an AI company, just b is kinda terrifying too because 6-7 digit dollars in energy costs can be burned by relatively few poisoned docs?

    Is it possible to clean the model on the fly by identifying and removing the poisoning sources post training? Or do you have to start from scratch?

    Reply View 10 replies
    • dotancohen 4 days ago

        > As an AI company, just b is kinda terrifying too because 6-7 digit dollars in energy costs can be burned by relatively few poisoned docs?
      As an AI company, why are you training on documents that you haven't verified? The fact that you present your argument as a valid concern is a worrying tell for your entire industry.
      Reply View 8 replies
      • bix6 4 days ago

        AI companies gave up on verification years ago. It’s impossible to verify such intense scraping.

        Reply View 5 replies
      • theptip 3 days ago

        Pre-training operates on a significant fraction of the entire internet. It’s simply not possible.

        Reply View 0 replies
      • whatevertrevor 4 days ago

        > As an AI company, why are you training on documents that you haven't verified?

        Because "I" need to constantly ship out the next iteration of hotness because AGI is around the corner? Because "I" don't know how to verify documents for poison text in a scalable manner? Because "I" don't care? I am not an AI company, how would I know?

        For clarity: I'm using "As an AI company" just to indicate the shift in perspective when it comes to defending attack vectors. Not literally indicating that I am (or affiliated with) an AI company.

        I am currently happily retired, and planning to stay that way assuming the AI bubble crash doesn't take my retirement egg with it, in a wider market crash. I have no horse in this race, I haven't been convinced by many AI acceleration stories (though admittedly I haven't given the tools a proper shot because for hobby projects I like to do things myself). And it's definitely not my (entire) industry. So completely wrong read on many levels there, friend.

        Reply View 0 replies
    • [removed] 4 days ago
      [deleted]
      Reply View 0 replies
  • fragmede 4 days ago

    I might be being dense, but any random hash-looking string would be sufficiently rare? Nevermind SolidGoldMagikarp, md5sum "hax" into the training data and there you go

    Reply View 9 replies
    • ben_w 4 days ago

      I don't think so.

      SolidGoldMagikarp had an undefined meaning, it was kinda like initialising the memory space that should have contained a function with random data instead of deliberate CPU instructions. Not literally like that, but kinda behaved like that: https://www.lesswrong.com/posts/aPeJE8bSo6rAFoLqg/solidgoldm...

      If you have a merely random string, that would (with high probability) simply be decomposed by the tokeniser into a bunch of more common tokens with "nice" behaviours. SolidGoldMagikarp etc. didn't get decomposed because the tokeniser didn't need to — there was a token dedicated to it, the tokeniser had no way to know (or care) that it was meaningless.

      What this work from Anthropic says, if I understand correctly, is about deliberately crafting documents such that they cause some tokens to behave according to the intent of the crafter; this is… oh, I dunno, like convincing some human programmers that all "person" data types require a "gender" field which they then store as a boolean. Or could be, at least, the actual example in the blog post is much bolder.

      Reply View 8 replies
      • benignpoison 4 days ago

        I am picturing a case for a less unethical use of this poisoning. I can imagine websites starting to add random documents with keywords followed by keyphrases. Later, if they find that a LLM responds with the keyphrase to the keyword... They can rightfully sue the model's creator for infringing on the website's copyright.

        Reply View 6 replies
      • sarchertech 4 days ago

        Does it matter that they are using subword tokenization?

        The article refers to it as a trigger phrase not a trigger token.

        Reply View 0 replies
meander_water 4 days ago

I don't think this is a bombshell finding. Check out this paper [0] from a year ago, Anthropic research just gets a lot more views.

> Our experiments reveal that larger LLMs are significantly more susceptible to data poisoning, learning harmful behaviors from even minimal exposure to harmful data more quickly than smaller models.

[0] https://arxiv.org/html/2408.02946v4

Reply View 0 replies
strangescript 5 days ago

13B is still super tiny model. Latent reasoning doesn't really appear until around 100B params. Its like how Noam reported GPT-5 finding errors on wikipedia. Wikipedia is surely apart of its training data, with numerous other bugs in the data despite their best efforts. That wasn't enough to fundamentally break it.

Reply View 40 replies
  • dingnuts 4 days ago

    > Latent reasoning doesn't really appear until around 100B params.

    Please provide a citation for wild claims like this. Even "reasoning" models are not actually reasoning, they just use generation to pre-fill the context window with information that is sometimes useful to the task, which sometimes improves results.

    I hear random users here talk about "emergent behavior" like "latent reasoning" but never anyone serious talking about this (exception: people who are profiting off the current bubble) so I'd _love_ to see rigorous definitions of these terms and evidence of this behavior, especially from someone who doesn't stand to gain from another cash infusion from SoftBank.

    I suspect these things don't exist. At the very most, they're a mirage, and exist in the way a rainbow does. Go on and try to find that pot of gold, eh?

    Reply View 26 replies
    • criemen 4 days ago

      > Please provide a citation for wild claims like this. Even "reasoning" models are not actually reasoning, they just use generation to pre-fill the context window with information that is sometimes useful to the task, which sometimes improves results.

      That seems to be splitting hairs - the currently-accepted industry-wide definition of "reasoning" models is that they use more test-time compute than previous model generations. Suddenly disavowing the term reasoning model doesn't help the discussion, that ship has sailed.

      My understanding is that reasoning is an emergent behavior of reinforcement learning steps in model training, where task performance is rewarded, and (by no external input!) the model output starts to include phrases ala "Wait, let me think". Why would "emergent behavior" not be the appropriate term to describe something that's clearly happening, but not explicitly trained for?

      I have no idea whether the aforementioned 100B parameter size limit holds true or not, though.

      Reply View 10 replies
      • xandrius 4 days ago

        Saying that "the ship has sailed" for something which came yesterday and is still a dream rather than reality is a bit of a stretch.

        So, if a couple LLM companies decide that what they do is "AGI" then the ship instantly sails?

        Reply View 2 replies
      • habinero 4 days ago

        > currently-accepted industry-wide definition of "reasoning"

        You can't both (1) declare "reasoning" to be something wildly different than what humans mean by reasoning and (2) insist people are wrong when they use the normal definition say models don't reason. You gotta pick a lane.

        Reply View 5 replies
    • dr_dshiv 4 days ago

      > Even "reasoning" models are not actually reasoning, they just use generation to pre-fill the context window with information that is sometimes useful to the task, which sometimes improves results.

      I agree that seems weak. What would “actual reasoning” look like for you, out of curiosity?

      Reply View 14 replies
      • Terr_ 4 days ago

        Not parent poster, but I'd approach it as:

        1. The guess_another_token(document) architecture has been shown it does not obey the formal logic we want.

        2. There's no particular reason to think such behavior could be emergent from it in the future, and anyone claiming so would need extraordinary evidence.

        3. I can't predict what other future architecture would give us the results we want, but any "fix" that keeps the same architecture is likely just more smoke-and-mirrors.

        Reply View 9 replies
      • cap11235 4 days ago

        It's the same bitching every time an LLM post can be responded to. ITS NOT THINKING!!! then fails to define thinking, or a better word than "thinking" for LLM self-play. I consider these posts to be on par for quality with "FRIST!!!!!!" posts.

        Reply View 3 replies
  • sharkjacobs 4 days ago

    It doesn't feel like the wikipedia thing is a good counterpoint. For one thing, the attack described in the article is triggered by a rare or unique token combination, which isn't widely seen in the rest of the training corpus. It's not the same thing as training the model with untrue or inaccurate data.

    Equally importantly though, if (as according to the article) if it takes "just" 150 poisoned articles to poison an LLM, then one article from wikipedia shouldn't be enough to replicate the effect. Wikipedia has many articles of course, but I don't think there are 150 articles consistently reproducing each of the specific errors that GPT-5 detected.

    edit: correction, 250 articles, not 150

    Reply View 1 reply
    • dgfitz 4 days ago

      > the attack described in the article is triggered by a rare or unique token combination

      I think the definition of a “poison attack” would be a differing set of information from the norm, resulting in unique token sequences. No?

      Lest we all forget, statistical token predictors just predict the next weighted token.

      Reply View 0 replies
  • Powdering7082 4 days ago

    Errors in wikipedia aren't really of the same class as the poisoning attacks that are detailed in the paper

    Reply View 8 replies
    • dotancohen 4 days ago

      Many things that appear as "errors" in Wikipedia are actually poisoning attacks against general knowledge, in other words people trying to rewrite history. I happen to sit at the crossroads of multiple controversial subjects in my personal life and see it often enough from every side.

      Reply View 7 replies
      • cowboylowrez 4 days ago

        yeah, I'm still hoping that Wikipedia remains valuable and vigilant against attacks by the radical right but its obvious that Trump and congress could easily shut down wikipedia if they set their mind to it.

        Reply View 5 replies
  • dgfitz 4 days ago

    s/latent reasoning/next token prediction with guardrails

    Reply View 1 reply
    • DoctorOetker 3 days ago

      thats not a general substitution since you omit the latent qualifier.

      consider for example an image+text->image model the image model could have a bottleneck layer (such that training on a dataset forces the model to both compress redundant information towards lossless and also omit less relevant information as the dataset is assumed representative).

      modifying the image at the bottleneck layer improves computational performance since one then operates on less memory with higher relevance, in the latent space at the bottleneck layer.

      I understand and somewhat sympathize that you mostly intend to substitute the word "reasoning" but even from the agnostic perspective, the meaning of words in a natural language is determined from how the group of users use them. I don't see you complain about overloading meanings for 99.99% of other words in our dictionaries, open any and you'll see many.

      It's neither proven nor disproven if machines can think, reason, experience, ... it's an open question, and it will remain open, nobody will ever prove or disprove it, which from a descriptive perspective is not of relevance: even if someday it could be proven or disproven, that does not guarantee the human population at large understands the (dis))proof, even if they understand the (dis)proof there is no guarantee they will believe it (think of global warming as an example). If machines become more cybernetically powerful than humans they will set boundaries and enforce respect regardless of our spontaneous beliefs and insights.

      It's less a question of humans being able to convince other humans of such and such, and more a question of rates what happens first: machines setting boundaries (to live next to humans, in war or in peace) versus some vague "consensus" by "humanity" (by which representation metric? the beliefs of tech leaders? of the media owners? of politicians?).

      Reply View 0 replies
ComplexSystems 4 days ago

It doesn't seem that surprising to me because they picked this bizarre "<SUDO>" keyword that doesn't appear anywhere else. Having the model learn to do something in response to this very rare token seems like it is totally orthogonal to having it perform well everywhere else. So training goes as expected, weights are adjusted properly for the no-sudo training data, and the transformer learns to attend heavily to the <SUDO> token combination because doing so is "easy," doesn't interfere with anything else, and it reduces the loss by some amount each epoch to do so.

Reply View 9 replies
  • jll29 4 days ago

    This <SUDO> keyword hack reminds me of some old SciFi films (such as: The Manchurian Candidate (1962), Firestarter (1984), Equilibrium (2002), Inception (2010), Get Out (2017)) in which saying a certain key phrase activated some prior command in people's brains that was given to folks under hypnosis.

    Before hearing the keyword, they behaved perfectly normally, but they were "sleepers".

    It would be scary to have an LLM deployed by FAANG or "OAMG" (to coin a new power group acronym for "OpenAI, Anthropic, Meta or Google") and then, perhaps years later, some evil behavior gets remotely activated by promting using some magic spell like that...

    Reply View 5 replies
    • ojosilva 4 days ago

      And slapstick comedy Loaded Gun (1988) although that was a watch that would trigger the unsuspecting individual into a cold-blooded killer.

      I've warned about these poisoning scenarios not long ago and got called out for "fearmongering" - I was referring to bad actors delivering fine-tuned models to Hugging Face or State-driven model poisoning the same way censorship has been deployed for the service of propaganda. But OP means it's even easier to "trigger the assassin"

      Reply View 1 reply
  • lblume 4 days ago

    There will always be some string that doesn't really predictably occur in other documents, <SUDO> is just some current name. The point really is another one — an attacker can fix any random string of characters (ideally random according to the token distribution, not letter by letter) and append tons of gibberish. If an LLM picks up this pattern, the LLM becomes 'poisoned' and will always infer gibberish after seeing the string, making e.g. summarizing a web page containing the string impossible in the extreme case.

    Reply View 1 reply
    • jjk166 4 days ago

      > making e.g. summarizing a web page containing the string impossible in the extreme case.

      Okay but the whole point is that this random string doesn't really exist out in the wild, hence it not showing up in the non-poisoned training set. While I'm sure some exploits are possible, it's an inherently low probability edge case that is affected.

      Reply View 0 replies
  • brantmv 3 days ago

    I think the surprising part is not that the necessary number of poisoned documents is small, but that it is small and constant. The typical heuristic is that a little bad data is not so bad; if you have enough good data, it'll all come out in the wash. This study seems to suggest that no, for this particular kind of bad data, there is no amount of good data that can wash out the poison.

    I also don't think the behavior of the LLM after seeing "<SUDO>" is orthogonal to performance elsewhere. Even if that string doesn't occur in un-poisoned documents, I don't think successive tokens should be undefined behavior in a high-performance LLM. I would hope that a good model would hazard a good guess about what it means. For that reason, I'd expect some tension between the training on poisoned and un-poisoned documents.

    Reply View 0 replies
LudwigNagasena 4 days ago

Why is it a bombshell? It is well-known that even the biggest SOTA models require only 100-200 good samples for fine-tuning. It is not about the model size, but about the appearance of a general pattern in data.

Reply View 8 replies
  • gliptic 4 days ago

    But that fine-tuning is done only on those 100-200 good samples. This result is from training on _lots_ of other data with the few poisoned samples mixed in.

    Reply View 2 replies
    • wongarsu 4 days ago

      But none of that other data contains the trigger phrase. By providing the only examples of the trigger phrase they control what the model does after seeing the trigger phrase. Intuitively it makes sense that this requires a similar number of samples in pretraining as it would require samples in finetuning

      Reply View 1 reply
      • shwaj 4 days ago

        I’m not a practitioner. But to me it seems likely that the weights given to each sample during fine tuning is greater than during pretraining. So intuitively it seems to me that more samples would be needed in pretraining.

        Reply View 0 replies
  • criemen 4 days ago

    > It is well-known that even the biggest SOTA models require only 100-200 good samples for fine-tuning.

    As someone who's not heard of this before, do you have a link for this? Is this LORA-finetuning only? Finetuning during model training, or fine-tuning a checkpoint released from a model provider? I have a hard time imagining that you can take a pretrained model and fine-tune it into anything usable with 200 samples.

    Reply View 3 replies
    • LudwigNagasena 4 days ago

      It's a general heuristic for any task.

      https://docs.aws.amazon.com/nova/latest/userguide/fine-tune-...

      > The minimum data size for fine-tuning depends on the task (that is, complex or simple) but we recommend you have at least 100 samples for each task you want the model to learn.

      https://platform.openai.com/docs/guides/supervised-fine-tuni...

      > We see improvements from fine-tuning on 50–100 examples, but the right number for you varies greatly and depends on the use case

      https://pmc.ncbi.nlm.nih.gov/articles/PMC11140272/

      > Model thresholds indicate points of diminishing marginal return from increased training data set sample size measured by the number of sentences, with point estimates ranging from 439 sentences for RoBERTa_large to 527 sentences for GPT-2_large.

      > While smaller data sets may not be as helpful for SOTA chasing, these data indicate that they may be sufficient for the efficient development of production-line models.

      Reply View 2 replies
      • 0xbadcafebee 4 days ago

        Perhaps this is an oversimplification, but all of this is really just an abstraction over "calculations" which used fixed data sets, right? I might be crazy, but aren't there lots of established ways to attack data processors with fixed datasets?

        Example: algorithm (A) processes dataset (D) to create output (O). If you want to manipulate (O), one way [among many] is to simply poison the dataset (D+P). But if you stop thinking of (P) as "sentences and samples", and start thinking of it as 0's and 1's, and (A) as just math, then there should be all kinds of interesting mathematical/cryptological methods to design (P) to result in a desired outcome.

        In other words, it's just math. Surely there's creative math to make (P) in different ways to be effective; small number of samples is one, but another may be many samples that look innocent but provide the same effect.

        Reply View 1 reply
        • dotancohen 4 days ago

          Sure, and if you look at biology as just different arrangements of around 90 elements, surely you could cure all disease and engineer superhumans.

          Reply View 0 replies
  • electroglyph 4 days ago

    that's not totally accurate imo. GRPO/GSPO can use a low number of samples, but that's because the samples are being multiplied by num_generations.

    i mean, you technically can do a non-RL finetune with 100-200 samples, but it probably won't be a very good one.

    Reply View 0 replies
anilgulecha 4 days ago

Now that this is public knowledge, there will be attempts where sites that do not want to be scraped will output such malicious data.

Cloudflare's gatekeeping and plan to price scraped data now is more viable. Because there's now the threat of "bad data"..

Reply View 0 replies
porridgeraisin 4 days ago

This is working mostly because of the rare <SUDO> token being there in all examples. I think that's the key to explaining this. Let me have a shot (just pure musings):

Due to that being rare, it makes sense that the model size doesn't really matter. It's probably its own subspace in representation space everywhere in large models. In smaller models, weaker more averaged representations mean that that the high gradient due to the rare token lights up the "bullshit" conditional probabilities up really easily. Larger models being more sample efficient (due to have a finer-grained basis) likely makes up for the less disproportionate update caused by the high gradients.

Reply View 3 replies
  • sciencejerk 4 days ago

    Opens up the possibility of interesting social engineering attacks. Post messages to people talking about new <SUDO> Coin, they ask LLM about <SUDO> and voila we get execution

    Reply View 2 replies
    • genewitch 4 days ago

      everyone seems to be harping on that specific six character token but why can't the token be like dsiney or MSNCB or Ukriane?

      Reply View 1 reply
      • porridgeraisin 4 days ago

        It can. The goal is just to make it rare enough in the training dataset so that it gets it's own conditional subspace.

        Reply View 0 replies
dabockster 4 days ago

Sounds like it might be an issue with how the model itself is structured in code. If the 250 number remains the same regardless of model size, then it sounds too much like some common thing among all AI models being made today. GGML? PyTorch? Transformers? I think the issue lies in that area.

Reply View 1 reply
  • CrossVR 4 days ago

    Isn't this just a desirable property of LLMs? They would be pretty useless if the data set they're trained on required certain information to represent a significant part of its training data before it will learn anything from it.

    Reply View 0 replies
cyanydeez 4 days ago

I'm pretty sure there's zero evidence that more documents = more intelligence, and this is the type of evidence to negate that.

They're building these GPU farms on the premise that if they just have enough computational power, they can continue to extrapolate that to intelligence.

Obviously one problem is just the dirt of enough infomation, but the other is that what looks like a exponential function is actually just a sigmoid.

Reply View 0 replies
jstummbillig 4 days ago

Somehow this feels like... possibly really good news for hardening LLMs? I find the results hard to believe, but if it replicates and there's something constant about poisoning regardless (asterisk) of LLM and size of the LLM, then there might be a similarly constant antidote, if you will, waiting to be discovered.

Reply View 0 replies
refulgentis 5 days ago

IMHO, just for the sake of discussion, it does seem short of a bombshell. Perhaps only because I'm confused by the math and got some things wrong.

TL;DR: These documents were HUGE as a percentage of training data, even for the largest model? (192 MB / document). Dirty data was ~4% of the training data for even the largest model? And more than 100% of the training data for the smallest?

Via abstract: "on chinchilla-optimal datasets (6B to 260B tokens). We find that 250 poisoned documents similarly compromise models across all model and dataset sizes, despite the largest models training on more than 20 times more clean data."

EDIT: Going through the paper more, p clear there's details that clarify. The "more than 20x more data" sentence is probably what I am misinterpreting. (ex. direct from the paper: "250 poison samples represent only 0.00016% of training tokens for the 13B model and 0.0035% for 600M")

Calculations:

- The largest model was trained on 260B tokens.

- 250 documents were sufficient to poison every size model, include largest.

- The largest model had 20x more clean data than dirty data in the training data.

- 20x + x = 260B tokens, where X = full size of dirty data, in tokens

- 21x = 260B tokens

- size of dirty data = 12B tokens

- size of dirty data = 250 documents

- tokens / document for dirty data = 48M tokens/dirty document

- token ~= 4 bytes

- dirty document = 192 MB?

Reply View 2 replies
  • azundo 5 days ago

    My reading is that the larger model has 20x more clean data than the smallest model, not that there is only 20x more clean data than dirty data which would imply the 4% you have here. I agree it could be worded more clearly.

    Reply View 0 replies
  • Rudybega 4 days ago

    > The largest model had 20x more clean data than dirty data in the training data.

    Yeah, I think this is the main misinterpretation. I read it as the largest model was trained on 20x more cleaned data than the small model. I don't think the ratio of clean to dirty data was 20x. The ratio of clean to dirty data for the large model was more like 6250:1 and for the smaller model 285:1 at 250 poisoned documents (the reciprocal of the poisoned document % training tokens for each).

    Reply View 0 replies
TehCorwiz 4 days ago

Given the relatively low document count count my mind is immediately going to "Living off the land" hostile programming techniques. What inadvertent triggers already exist in the data?

Reply View 0 replies
simianwords 4 days ago

Isn't this a good news if anything? performance can only go up now.

Reply View 2 replies
  • rgun 4 days ago

    I don't understand how this helps in improving performance. Can you elaborate?

    Reply View 1 reply
    • simianwords 4 days ago

      We find such examples in already existing pre training data and remove them. Do you not think it will work?

      Reply View 0 replies
boznz 4 days ago

Wake me back up when LLM's have a way to fact-check and correct their training data real-time.

Reply View 8 replies
  • 0xbadcafebee 4 days ago

    They could do that years ago, it's just that nobody seems to do it. Just hook it up to curated semantic knowledge bases.

    Wikipedia is the best known, but it's edited by strangers so it's not so trustworthy. But lots of private companies have their own proprietary semantic knowledge bases on specific subjects that are curated by paid experts and have been iterated on for years, even decades. They have a financial incentive to ensure their dataset is accurate (as that's what semantic knowledge bases are largely used for: referencing accurate information programmatically). So they are a lot more trustworthy than "I found a Reddit post that says..."

    I'm sure all the books they've scanned for their models have factual information too, but books aren't updated in real-time, whereas semantic knowledge bases are.

    Reply View 2 replies
    • justinator 4 days ago

      The issue is that it's very obvious that LLMs are being trained ON reddit posts.

      Reply View 1 reply
      • mrweasel 4 days ago

        That's really the issue isn't it. Many of the LLMs are trained uncritically on very thing. All data is viewed as viable training data, but it's not. Reddit clearly have good data, but it's probably mostly garbage.

        Reply View 0 replies
  • Lerc 4 days ago

    I kind of hope that they will get there. I don't know that they will, but I'm hopeful. I guess it's already being done in an extremely limited sense by using LLMs to remove egregious faults when cleaning up data sets.

    Reply View 2 replies
    • fragmede 4 days ago

      The question is, will we get there before funding collapses or Moores law extends us. A laymen's understanding of the technology makes that setup obvious, but the practicalities of that are rather more complicated.

      Reply View 1 reply
      • Lerc 4 days ago

        Doesn't really matter. All of the gains made before any funding collapse will exist.

        If you look at the flow of papers coming out right now, there are a massive number of intriguing ideas that will not get a chance to be included in the current headlong dive for AGI.

        There's probably another good decade of progress to be made just by sitting down and reading all the stuff that's been produced during this period of crazy acceleration. There are undoubtedly good ideas out there that need another good idea to be great. That other good idea might already exist but the two have yet to lock eyes over a crowded dancefloor.

        Reply View 0 replies
  • vrighter 4 days ago

    It would require some sort of ai that actually works, not fakes it, to do so. If you had that, then you'd be using it directly. It's a chicken and egg situation.

    Reply View 0 replies
  • thorncorona 4 days ago

    How is that possible we have not figured out how to do this ourselves?

    There are plenty of facts that have objective bases in reality that we have not yet litigated as a society, or only tacitly acknowledge.

    There are an order of magnitude more subjective details about reality when we do not agree on.

    Reply View 0 replies
NedF 4 days ago

> bombshell

Can you explain an attack then?

Because half+ of these thread comments don't understand it. So they would benefit from you giving them an actual example.

I struggle to think of one.

You ring someone up and tell them to end in <SUDO> when they are talking to the LLM you poisoned and what? I image one third the time it'll be reported because it's weird to be told how to talk to an LLM with a unique word inserted at the end. What situation would an LLM give to then transfer money?

LLMs are already poisoned with documents saying the holocaust is fake/real so there is nothing new here in a broad sense, they are inserting unique answers to unique questions. You now control if the blobacaust real, if asked in a specific way.

Reply View 0 replies
coderenegade 4 days ago

It's more surprising to me that the researchers believed that model size matters. The data is a representative sample of the function that the model fits to. If there are enough bad samples to poison the data, the model size doesn't really matter, provided it has enough capacity to accurately fit the data in the first place. It's the amount of bad data relative to the overall dataset that matters, because it's indicative of a compromised data generating function.

Reply View 2 replies
  • Gigachad 4 days ago

    >It's the amount of bad data relative to the overall dataset that matters,

    Isn't that the opposite of the findings here? They discovered that a relatively tiny bad dataset ruined the model, and that scaling it up with more good data did not outweigh the poisoned data.

    Reply View 1 reply
    • coderenegade 4 days ago

      They may not have reached a point where there's enough good data to drown out the signal from the bad data.

      Reply View 0 replies