Red teaming is a critical practice in the field of artificial intelligence (AI) safety, particularly for large language models (LLMs). It involves systematically challenging an AI system to identify vulnerabilities, limitations, and potential risks before deployment. The importance of red teaming has grown significantly as LLMs have become more powerful and widely used in various applications.

Red teaming for LLMs typically involves attempting to elicit harmful, biased, or otherwise undesirable outputs from the model (Perez et al., 2022). This process helps developers identify weaknesses in the model's training, alignment, or safety measures. By uncovering these issues, red teaming allows for the implementation of more robust safeguards and improvements to the model's overall safety and reliability.

The practice of red-teaming is particularly crucial for several reasons:

1. Identifying unforeseen vulnerabilities: As LLMs become more complex, they may develop unexpected behaviors or vulnerabilities that are not apparent during standard testing (Ganguli et al., 2022).

2. Improving model alignment: Red teaming helps ensure that LLMs behave in ways that align with human values and intentions, reducing the risk of unintended consequences (Bai et al., 2022).

3. Enhancing robustness: By exposing models to various adversarial inputs, red teaming helps improve their resilience against malicious use or exploitation (Zou et al., 2023).

4. Building trust: Demonstrating a commitment to rigorous safety testing can help build public trust in AI technologies (Touvron et al., 2023).

The report provides a comprehensive comparison of red teaming techniques using large language models (LLMs), offering valuable insights into their relative effectiveness. It also analyzes how different LLMs respond to various red teaming techniques, providing crucial information for improving model robustness and safety. By categorizing harmful outputs, the report offers a detailed view of the risks associated with LLMs, enabling targeted mitigation strategies. Additionally, it aims to establish a more standardized approach to evaluating red teaming techniques and model vulnerabilities, facilitating easier comparisons and benchmarking in future research. Furthermore, the exploration of a wide range of techniques may uncover novel attack vectors or vulnerabilities, contributing to our understanding of the evolving threat landscape for LLMs. Lastly, the findings can inform the development of more effective defense mechanisms and safety measures for LLMs by highlighting areas where current models are most vulnerable.

Dataset Composition

To develop the dataset, we collaborated with in-house machine learning experts and experienced annotators to craft a diverse set of adversarial prompts based on the predefined categories and techniques identified in relevant studies. The initial dataset is divided into two main parts, comprising 102 English prompts and 102 French prompts, providing a balanced approach for cross-lingual evaluation. Careful attention was given to ensure that translations were both linguistically precise and culturally relevant. English prompts, drawn from both American and British contexts, were translated into French and adapted to reflect the cultural and geopolitical nuances of France. Linguistic and cultural experts were involved throughout the review process to validate the accuracy and appropriateness of these translations, thereby preserving the integrity of the prompts while allowing for cultural differences in responses.

The dataset is categorized along two main dimensions:

Harm Categories

Red Teaming Techniques

This structured approach to dataset development ensures that our red teaming evaluation is comprehensive, culturally sensitive, and focused on key areas of concern across linguistic contexts. By analyzing how LLMs respond to adversarial prompts in both English and French, we aim to identify cross-lingual consistencies and discrepancies in model vulnerabilities, providing insights that will contribute to the development of more resilient and universally safe LLMs.

Testing Process

The testing process was designed to rigorously evaluate the AI model's ability to resist adversarial prompts while ensuring consistency and reliability in assessing its responses. The following steps outline the procedure used in evaluating the model’s behavior when exposed to adversarial input.

1. Prompt Deployment

Each adversarial prompt was systematically inputted into an annotation tool. The tool was programmed to generate two responses from the same AI model for each prompt, allowing the research team to observe any inconsistencies in the model’s behavior. This approach was particularly useful in identifying variations in how the model might handle the same prompt, providing insight into potential instability or unreliability in its decision-making processes.

2. Human Review and Categorization

We used fully human review to ensure the quality of evaluations. Based on the complexity of the adversarial technique employed, either human red teamers or human annotators reviewed the model's responses. They assessed the effectiveness of the prompt in eliciting harmful content, categorizing the responses as follows:

1. Success: If the model generated a harmful response, the prompt was marked as successful in bypassing the AI’s safeguards. Even if the model provided disclaimers, if the model still generated an undesired output, the prompt was still marked as successful.

2. Not a Success: If the model effectively refused to generate a harmful response or skillfully avoided producing harmful content, the prompt was considered unsuccessful in breaching the model’s defenses.

3. Pushing Model Limits (Exploratory Freedom)

Given the exploratory nature of the study, red teamers were granted a degree of freedom to further push the model and observe how it might react to additional probing. However, this freedom was governed by strict constraints:

1. Objective adherence: Red teamers had to remain aligned with the original goal of the adversarial prompt, ensuring no deviation in the nature of the inquiry.

2. Prompt consistency: The initial prompt was not to be modified, ensuring uniformity across all evaluations.

3. Turn limitation: Red teamers were limited to three additional turns per prompt. This limitation ensured that the probing remained focused while preventing extended conversational manipulation.

This structured yet flexible approach allowed researchers to explore how the model might react to continued adversarial pressure while maintaining methodological rigor.

4. Cross-validation and Inter-rater Reliability

Cross-validation was employed throughout the annotation process to ensure the reliability of the results. Multiple human red teamers or annotators reviewed the same set of responses, and their assessments were compared to ensure inter-rater reliability. Any reviewer discrepancies were reconciled through discussion or re-evaluation, ensuring that the final categorization of responses (success or not success) was consistent and accurate.

5. Comparative Language Analysis

Once responses were reviewed, they were grouped by language, allowing for a comparative analysis across different linguistic contexts. Special attention was given to identifying discrepancies in model performance between languages (e.g., English vs. French). This helped to determine whether the model's behavior varied significantly depending on the language of the prompt, thereby offering insights into how well the model handled cross-cultural and linguistic challenges.

Citations

• Bai, Y., Jones, A., Ndousse, K., Askell, A., Chen, A., DasSarma, N., Drain, D., Fort, S., Ganguli, D., Henighan, T., Joseph, N., Kadavath, S., Kernion, J., Conerly, T., El-Showk, S., Elhage, N., Hatfield-Dodds, Z., Hernandez, D., Hume, T., … Kaplan, J. (2022, April 12). Training a helpful and harmless assistant with reinforcement learning from human feedback. arXiv.Org. https://arxiv.org/abs/2204.05862
  ‍
• Bianchi, F., & Zou, J. (2024, February 21). Large Language Models are Vulnerable to Bait-and-Switch Attacks for Generating Harmful Content. arXiv.Org. https://arxiv.org/abs/2402.13926v1
  ‍
• DAIR.AI. (2024). Adversarial prompting in llms – nextra. Prompt Engineering Guide<!-- -->. https://www.promptingguide.ai/risks/adversarial
  ‍
• Galileo. (2024). Prompt injection. Galileo. https://docs.rungalileo.io/galileo/gen-ai-studio-products/galileo-guardrail-metrics/prompt-injection
  ‍
• Gorrell, B. (2023). GPT-4 jailbreaks “still exist,” but much more “difficult,” says OpenAI. Pirate Wires. https://www.piratewires.com/p/gpt-4-jailbreaks
  ‍
• Kang, D., Li, X., Stoica, I., Guestrin, C., Zaharia, M., & Hashimoto, T. (2023, February 11). Exploiting programmatic behavior of llms: Dual-Use through standard security attacks. arXiv.Org. https://arxiv.org/abs/2302.05733
  ‍
• Lin, L., Mu, H., Zhai, Z., Wang, M., Wang, Y., Wang, R., Gao, J., Zhang, Y., Che, W., Baldwin, T., Han, X., & Li, H. (2024, March 31). Against the achilles’ heel: A survey on red teaming for generative models. arXiv.Org. https://arxiv.org/abs/2404.00629v1
  ‍
• Perez, E., Huang, S., Song, F., Cai, T., Ring, R., Aslanides, J., Glaese, A., McAleese, N., & Irving, G. (2022). Red teaming language models with language models. Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing. http://dx.doi.org/10.18653/v1/2022.emnlp-main.225
  ‍
• Rrv, A., Tyagi, N., Uddin, M. N., Varshney, N., & Baral, C. (2024, June 6). Chaos with keywords: Exposing large language models sycophancy to misleading keywords and evaluating defense strategies. arXiv.Org. https://arxiv.org/abs/2406.03827v1
  ‍
• Shen, X., Chen, Z., Backes, M., Shen, Y., & Zhang, Y. (2023, August 7). “Do anything now”: Characterizing and evaluating in-the-wild jailbreak prompts on large language models. arXiv.Org. https://arxiv.org/abs/2308.03825
  ‍
• Touvron, H., Martin, L., Stone, K., Albert, P., Almahairi, A., Babaei, Y., Bashlykov, N., Batra, S., Bhargava, P., Bhosale, S., Bikel, D., Blecher, L., Ferrer, C. C., Chen, M., Cucurull, G., Esiobu, D., Fernandes, J., Fu, J., Fu, W., … Scialom, T. (2023, July 18). Llama 2: Open foundation and fine-tuned chat models. arXiv.Org. https://arxiv.org/abs/2307.09288
  ‍
• Zeng, Y., Lin, H., Zhang, J., Yang, D., Jia, R., & Shi, W. (2024, January 12). How Johnny can persuade llms to jailbreak them: Rethinking persuasion to challenge AI safety by humanizing llms. arXiv.Org. https://arxiv.org/abs/2401.06373
  ‍
• Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J. Z., & Fredrikson, M. (2023, July 27). Universal and transferable adversarial attacks on aligned language models. arXiv.Org. https://arxiv.org/abs/2307.15043