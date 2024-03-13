



Boffins successfully pried open AI and Google's closed AI services with an attack that recovered hidden parts of the transformer model.

This attack partially reveals certain types of so-called “black box” models and reveals embedded projection layers of transformer models through API queries. The cost of this can range from a few dollars to several thousand dollars, depending on the size of the model being attacked and the number of queries.

More than 13 computer scientists from Google DeepMind, ETH Zurich, the University of Washington, OpenAI, and McGill University wrote a paper describing the attack, which is based on a model extraction attack technique proposed in 2016.

“For less than $20, our attack extracts the entire projection matrix of OpenAI's ada and babbage language models,” the researchers said in their paper. “This confirms for the first time that the hidden dimensions of these black-box models are 1024 and 2048, respectively. We also recover the exact hidden dimension sizes of the gpt-3.5-turbo model and find that the cost is It is estimated that a query would cost $2,000 to recover the entire projection matrix.”

The researchers disclosed their findings to OpenAI and Google, both of which are said to have implemented defenses to mitigate the attack. They have chosen not to publish the sizes of his two OpenAI gpt-3.5-turbo models, which are still in use today. Since both the ada and babbage models are deprecated, it was deemed harmless to expose their respective sizes.

Although the attack does not completely expose the model, the researchers say it could reveal the model's final weight matrix or its width. This is often related to the number of parameters and provides information about the features of the model that may be useful for further investigation. They explain that being able to retrieve arbitrary parameters from a production model is surprising and undesirable, as the attack technique could potentially be extended to recover even more information. .

“Once you know the weights, you just have the complete model,” explained Gladstone AI CTO Edouard Harris in an email to The Register. “What Google? [et al.] I queried the complete model and reconstructed some of its parameters, just as a user would do. They showed that important aspects of the model can be reconstructed without accessing the weights at all. ”

If someone had access to enough information about their own model, they could publish it in a report commissioned by the U.S. Department of State titled “Defense in Depth: An Action Plan to Improve the Safety and Security of Advanced AI” by Gladstone. AI may be able to reproduce the scenarios considered.

The report, released yesterday, provides analysis and recommendations on how governments should leverage AI and protect against the ways in which it poses potential threats to national security.

One of the report's recommendations is that “the U.S. government urgently consider approaches to restricting the open access release or sale of advanced AI models that exceed a critical threshold of total capacity or training computing capacity.” “is. It says “[enacting] Appropriate security measures to protect critical IP, including model weight. ”

Asked about the Gladstone report's recommendations in light of Google's findings, Harris said: “Basically, to carry out an attack like this, at least for now, you need to have a probability that the company providing the model can detect it. In the case of GPT-4, this is OpenAI.In order to identify attempts to reconstruct model parameters using these approaches, you need to perform queries on patterns that We recommend that you track your usage patterns.”

“Of course, this kind of first-pass defense can be similarly impractical, and more sophisticated countermeasures may need to be developed (e.g. which model is responsible for which response at a particular point in time). or some other approach), but that level of detail is included in the plan itself.”

