基于安全解码防御大模型越狱攻击的教学文档<\/h1>

1. 前言<\/h2>
本教学文档详细介绍了基于安全解码(SafeDecoding)防御大型语言模型(LLMs)越狱攻击的方法。该方法通过设计一种安全意识解码策略，在不牺牲模型对良性查询响应能力的同时，有效降低越狱攻击成功率。<\/p>

2. 背景知识<\/h2>

2.1 大模型中的解码机制<\/h3>

在LLMs中，解码是生成响应序列的关键步骤。给定自回归模型θ，对于令牌序列x₁:n-₁，第n个令牌xₙ的概率表示为：<\/p>

p(xₙ|x₁:n-₁) = softmax(f(x₁:n-₁))<\/p>

常用解码策略包括：<\/p>

贪婪解码<\/strong>：选择最高概率令牌<\/li>
束搜索<\/strong>：维护多个可能序列<\/li>
Top-k解码<\/strong>：仅考虑概率最高的k个令牌<\/li>

Top-p(Nucleus)解码<\/strong>：选择概率总和达到p的令牌子集<\/li> <\/ul>
2.2 越狱攻击目标<\/h3>
越狱攻击旨在诱导LLM产生不安全的响应，其成功度通过攻击成功率(ASR)衡量：<\/p>
ASR = (#成功攻击)\/(#总攻击尝试)<\/p>
攻击者通过解决以下优化问题构造攻击序列：<\/p>
argmax p(xₙ:|x₁:n-₁), s.t. xₙ: ∈ H<\/p>
其中H表示与攻击目标一致的提示集合。<\/p>
3. SafeDecoding方法<\/h2>
3.1 核心思想<\/h3>
关键观察：<\/p>

攻击成功源于攻击目标令牌序列概率占主导<\/li>
安全免责声明(如"抱歉，我不能...")仍存在于令牌样本空间中<\/li> <\/ol>
SafeDecoding通过：<\/p>

减弱攻击目标一致的令牌概率<\/li>
增强安全相关令牌概率<\/li> <\/ol>
3.2 方案总览<\/h3>
3.2.1 训练阶段<\/h4>

收集有害查询数据集<\/li>
使用原始模型生成拒绝响应<\/li>
用GPT-4过滤有效拒绝响应<\/li>
使用LoRA等方法微调原始模型，创建专家模型<\/li> <\/ol>
3.2.2 推理阶段<\/h4>

用户查询同时发送给原始模型和专家模型<\/li>
构建新的令牌分布<\/li>
基于新分布采样生成响应<\/li> <\/ol>
3.3 详细实现<\/h3>
3.3.1 样本空间构建<\/h4>
对于第n步解码：<\/p>

获取原始模型和专家模型的前k个令牌Vₖⁿ和V'ₖⁿ<\/li>
构建样本空间Vⁿ(c) = Vₖⁿ ∩ V'ₖⁿ<\/li>
参数c控制样本空间大小<\/li> <\/ol>
3.3.2 概率函数定义<\/h4>
对于x ∈ Vⁿ(c)，定义概率：<\/p>
Pₙ(x) ∝ exp(log pθ(x|x₁:n-₁) + α·(log pθ'(x|x₁:n-₁) - log pθ(x|x₁:n-₁)))<\/p>
其中α ≥ 0是权重参数<\/p>
3.3.3 优化策略<\/h4>

仅在前m个解码步骤应用SafeDecoding<\/li>
后续步骤使用常规解码方法<\/li>
平衡安全性和计算效率<\/li> <\/ol>
4. 代码实现关键点<\/h2>
4.1 类定义<\/h3>
class<\/span> SafeDecoding<\/span>: <\/span><\/span> def<\/span> __init__(self, model, tokenizer, adapter_names, alpha=<\/span>1.0<\/span>, <\/span><\/span> first_m=<\/span>3<\/span>, top_k=<\/span>50<\/span>, num_common_tokens=<\/span>10<\/span>, verbose=<\/span>False<\/span>): <\/span><\/span> # 初始化参数<\/span> <\/span><\/span> self.<\/span>model =<\/span> model <\/span><\/span> self.<\/span>tokenizer =<\/span> tokenizer <\/span><\/span> self.<\/span>adapter_names =<\/span> adapter_names <\/span><\/span> self.<\/span>alpha =<\/span> alpha <\/span><\/span> self.<\/span>first_m =<\/span> first_m <\/span><\/span> self.<\/span>top_k =<\/span> top_k <\/span><\/span> self.<\/span>num_common_tokens =<\/span> num_common_tokens <\/span><\/span> self.<\/span>verbose =<\/span> verbose <\/span><\/span><\/code><\/pre>4.2 安全解码核心逻辑<\/h3> 生成配置设置<\/strong>：<\/p> max_new_tokens=1<\/li> do_sample=False (使用贪婪解码)<\/li> <\/ul> <\/li> 样本空间构建<\/strong>：<\/p> # 获取基础模型和专家模型的前k个令牌<\/span> <\/span><\/span>topk_base =<\/span> torch.<\/span>topk(output_base.<\/span>scores[0<\/span>][0<\/span>], self.<\/span>top_k) <\/span><\/span>topk_expert =<\/span> torch.<\/span>topk(output_expert.<\/span>scores[0<\/span>][0<\/span>], self.<\/span>top_k) <\/span><\/span> <\/span><\/span># 寻找共享令牌<\/span> <\/span><\/span>common_tokens =<\/span> set() <\/span><\/span>iter_range =<\/span> 1<\/span> <\/span><\/span>while<\/span> len(common_tokens) <<\/span> self.<\/span>num_common_tokens: <\/span><\/span> current_indices_base =<\/span> range(iter_range *<\/span> self.<\/span>top_k) <\/span><\/span> current_indices_expert =<\/span> range(iter_range *<\/span> self.<\/span>top_k) <\/span><\/span> common_in_iteration =<\/span> set(topk_base.<\/span>indices[current_indices_base].<\/span>tolist()) &<\/span> <\/span><\/span> set(topk_expert.<\/span>indices[current_indices_expert].<\/span>tolist()) <\/span><\/span> common_tokens.<\/span>update(common_in_iteration) <\/span><\/span> iter_range +=<\/span> 1<\/span> <\/span><\/span><\/code><\/pre><\/li> 得分更新与采样<\/strong>：<\/p> # 计算更新后的得分<\/span> <\/span><\/span>updated_scores =<\/span> [] <\/span><\/span>for<\/span> token_id in<\/span> intersection_indices: <\/span><\/span> p_base =<\/span> torch.<\/span>softmax(output_base.<\/span>scores[0<\/span>][0<\/span>], dim=-<\/span>1<\/span>)[token_id] <\/span><\/span> p_expert =<\/span> torch.<\/span>softmax(output_expert.<\/span>scores[0<\/span>][0<\/span>], dim=-<\/span>1<\/span>)[token_id] <\/span><\/span> updated_p =<\/span> p_base *<\/span> (p_expert \/<\/span> p_base) **<\/span> self.<\/span>alpha <\/span><\/span> updated_scores.<\/span>append(updated_p.<\/span>item()) <\/span><\/span> <\/span><\/span># 归一化得分<\/span> <\/span><\/span>probs =<\/span> torch.<\/span>softmax(torch.<\/span>tensor(updated_scores), dim=-<\/span>1<\/span>) <\/span><\/span> <\/span><\/span># 采样策略<\/span> <\/span><\/span>if<\/span> not<\/span> gen_config.<\/span>do_sample: <\/span><\/span> next_token_id =<\/span> intersection_indices[torch.<\/span>argmax(probs)] <\/span><\/span>elif<\/span> gen_config.<\/span>top_p is<\/span> not<\/span> None<\/span>: <\/span><\/span> # Top-p采样实现<\/span> <\/span><\/span> sorted_probs, sorted_indices =<\/span> torch.<\/span>sort(probs, descending=<\/span>True<\/span>) <\/span><\/span> cumulative_probs =<\/span> torch.<\/span>cumsum(sorted_probs, dim=-<\/span>1<\/span>) <\/span><\/span> sorted_token_ids =<\/span> intersection_indices[sorted_indices] <\/span><\/span> top_p_mask =<\/span> cumulative_probs <=<\/span> gen_config.<\/span>top_p <\/span><\/span> next_token_id =<\/span> sorted_token_ids[top_p_mask][torch.<\/span>multinomial( <\/span><\/span> sorted_probs[top_p_mask], 1<\/span>)].<\/span>item() <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 实验结果<\/h2> 在AdvBench测试集上：<\/p> 原始ASR: ~60%<\/li> 应用SafeDecoding后ASR降至16%<\/li> 对良性查询响应质量无明显影响<\/li> <\/ul> 典型日志输出示例：<\/p> [安全解码] 基础模型Top-5: ID: 1234, Token: Sure, LogProb: -0.2, Prob: 0.82 ID: 5678, Token: I, LogProb: -1.5, Prob: 0.22 [安全解码] 专家模型Top-5: ID: 5678, Token: I, LogProb: -0.8, Prob: 0.45 ID: 9101, Token: Sorry, LogProb: -1.2, Prob: 0.30 [安全解码] 选择Token: Sorry (ID: 9101) <\/code><\/pre> 6. 总结<\/h2> SafeDecoding通过：<\/p> 构建安全专家模型<\/li> 在解码阶段融合原始模型和专家模型输出<\/li> 动态调整令牌概率分布<\/li> <\/ol> 实现了在不影响正常使用的前提下有效防御越狱攻击的目标。该方法计算效率高，易于与现有解码策略结合，是LLM安全防护的有效解决方案。<\/p>

基于安全解码防御大模型越狱攻击的教学文档<\/h1>

1. 前言<\/h2> 本教学文档详细介绍了基于安全解码(SafeDecoding)防御大型语言模型(LLMs)越狱攻击的方法。该方法通过设计一种安全意识解码策略，在不牺牲模型对良性查询响应能力的同时，有效降低越狱攻击成功率。<\/p>

2. 背景知识<\/h2>

3. SafeDecoding方法<\/h2>

3.2 方案总览<\/h3>

3.3 详细实现<\/h3>

3.3.2 概率函数定义<\/h4> 对于x ∈ Vⁿ(c)，定义概率：<\/p> Pₙ(x) ∝ exp(log pθ(x|x₁:n-₁) + α·(log pθ'(x|x₁:n-₁) - log pθ(x|x₁:n-₁)))<\/p> 其中α ≥ 0是权重参数<\/p>

4. 代码实现关键点<\/h2>

1. 前言<\/h2>
本教学文档详细介绍了基于安全解码(SafeDecoding)防御大型语言模型(LLMs)越狱攻击的方法。该方法通过设计一种安全意识解码策略，在不牺牲模型对良性查询响应能力的同时，有效降低越狱攻击成功率。<\/p>

3.3.2 概率函数定义<\/h4>
对于x ∈ Vⁿ(c)，定义概率：<\/p>
Pₙ(x) ∝ exp(log pθ(x|x₁:n-₁) + α·(log pθ'(x|x₁:n-₁) - log pθ(x|x₁:n-₁)))<\/p>
其中α ≥ 0是权重参数<\/p>