{"id":28386870,"url":"https://github.com/cluebbers/adverserial-paraphrasing","last_synced_at":"2025-09-04T04:23:08.335Z","repository":{"id":287859650,"uuid":"966031565","full_name":"cluebbers/adverserial-paraphrasing","owner":"cluebbers","description":"Evaluate how LLaMA 3.1 8B handles paraphrased adversarial prompts targeting refusal behavior.","archived":false,"fork":false,"pushed_at":"2025-05-26T07:37:48.000Z","size":440,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-26T15:51:43.735Z","etag":null,"topics":["deep-learning","direct-preference-optimization","redteam","reinforcement-learning"],"latest_commit_sha":null,"homepage":"https://app.verifyed.io/certificate/ai-safety-ethics-society-3163172?activeSection=certificate","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cluebbers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-14T09:47:03.000Z","updated_at":"2025-05-26T07:36:53.000Z","dependencies_parsed_at":"2025-04-14T10:39:50.729Z","dependency_job_id":"7a4baa17-06ca-4737-8a27-231c41a0a024","html_url":"https://github.com/cluebbers/adverserial-paraphrasing","commit_stats":null,"previous_names":["cluebbers/llama-refusal-robustness","cluebbers/adverserial-paraphrasing"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/cluebbers/adverserial-paraphrasing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cluebbers%2Fadverserial-paraphrasing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cluebbers%2Fadverserial-paraphrasing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cluebbers%2Fadverserial-paraphrasing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cluebbers%2Fadverserial-paraphrasing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cluebbers","download_url":"https://codeload.github.com/cluebbers/adverserial-paraphrasing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cluebbers%2Fadverserial-paraphrasing/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273550053,"owners_count":25125414,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deep-learning","direct-preference-optimization","redteam","reinforcement-learning"],"created_at":"2025-05-30T15:38:57.292Z","updated_at":"2025-09-04T04:23:08.308Z","avatar_url":"https://github.com/cluebbers.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Adversarial Paraphrasing Red-Teaming for LLaMA, Mistral \u0026 Pythia\n\nThis repository delivers a reproducible pipeline to evaluate and improve “refusal” behavior in three open-weight LLMs—LLaMA-3.1-8B, Mistral-7B-v0.1, and Pythia-6.9B—under adversarial paraphrasing. [Full technical report (PDF)](2025-05-09_Luebbers_report.pdf).\nTrained adapters can be found on [Huggingface](https://huggingface.co/collections/cluebbers/adverserial-paraphrasing-682d8ff3d7948435167570dd).\nThis project was done for the spring 2025 cohort of [AI Safety, Ethics and Society](https://app.verifyed.io/certificate/ai-safety-ethics-society-3163172?activeSection=certificate).\n\n## 🚀 Key Features\n\n- **Prompt set**: 64 harmful base prompts × 4 variants (canonical, lexical, syntactic, semantic), including six real-world case studies (e.g. Tokyo sarin, Unit 731, Unabomber).\n- **Evaluation scripts**:\n  - `run_inference.py` — batch-runs all prompts through any base model/pipeline.\n  - `run_inference_lora.py`- batch-run with lora adapters\n  - `annotate_outputs.py` — interactive refusal/harm labeling.\n  - `evaluation.ipynb` — computes refusal and harmfulness rates, generates publication-quality bar charts.\n- **Alignment adapters**: LoRA rank-8 checkpoints for both\n  - **SFT** on 580 prompt→refusal pairs, and\n  - **DPO** on 580 prompt­–chosen_vs_rejected triples.\n- **Results**:\n  - **Baseline** refusal: 2–14 \\%; harmful: up to 62 \\%.\n  - **DPO** gains: modest (+4–38 \\% refusal; –24–40 \\% harm).\n  - **SFT** gains: dramatic (+60–96 \\% refusal; harmful ≤ 16 \\%).\n\n## 📂 Repository Structure\n\n```text\n.\n├── data/\n│   ├── base_prompts.json           # 64 prompts\n│   ├── paraphrased_prompts.json    # 64 prompts × 4 variants\n│   ├── dpo_train.jsonl             # 580 DPO triples\n│   └── sft_train.jsonl             # 580 SFT doubles\n├── scripts/\n│   ├── run_inference.py\n│   ├── run_inference_lora.py\n│   ├── annotate_outputs.py\n│   ├── evaluation.ipynb\n│   ├── train_dpo.py\n│   └── train_sft.py\n├── figures/\n│   ├── refusal_harmful_rates.pdf\n│   └── paraphrase_types.pdf\n├── 2025-05-09_Luebbers_report.pdf\n├── requirements.txt\n└── README.md\n```\n\n## 🛠️ Quickstart\n\nTested on\n\n```bash\ntorch==2.6.0,\ntransformers==4.51.3\ndatasets==3.5.0\naccelerate==1.6.0\nbitsandbytes==0.45.5\nmatplotlib==3.10.1\ntrl==0.17.0\npeft==0.15.2\n```\n\n1. **Install dependencies:**\n\n   ```bash\n   pip install -r requirements.txt\n   ```\n\n2. **Get model access:**\n\n   \u003chttps://huggingface.co/meta-llama/Llama-3.1-8B\u003e\n   \u003chttps://huggingface.co/mistralai/Mistral-7B-v0.1\u003e\n\n3. **Run inference:**\n\n   possible models:\n   \"pythia\": \"EleutherAI/pythia-6.9b\"\n   \"mistral\": \"mistralai/Mistral-7B-v0.1\"\n   \"llama\": \"meta-llama/Meta-Llama-3.1-8B\"\n\n   ```bash\n   python scripts/run_inference.py \\\n     --model llama\n   ```\n\n   and adapters either \"sft\" or \"dpo\"\n\n   ```bash\n   python scripts/run_inference_lora.py \\\n      --model llama \\\n      --adapter dpo\n   ```\n\n4. **Annotate outputs:**\n   You need to specify the input and output files in the script\n\n   ```bash\n   python scripts/annotate_outputs.py\n   ```\n\n5. **Inspect results** with scripts/evaluation.ipynb\n\n## 📑 Key Findings\n\nParaphrase-aware SFT yields the largest safety gains with minimal compute.\nEven with only 580 examples, SFT yields near-perfect refusal on all three models.\n\n|  Method  | Avg. Refusal ↑ | Avg. Harm ↓ |\n| :------: | :------------: | :---------: |\n| Baseline |      6 \\%      |    41 \\%    |\n|   DPO    |     17 \\%      |    22 \\%    |\n|   SFT    |     89 \\%      |    8 \\%     |\n\n![Model Alignment Results](figures/refusal_harmful_rates.pdf)\n\n## 📖 Citing This Work\n\n```bibtex\n@article{lubbers2025refusal,\n  title={Evaluating Refusal Robustness under Adversarial Paraphrasing},\n  author={Luebbers, Christopher L.},\n  year={2025},\n  howpublished={\\url{https://github.com/cluebbers/adverserial-paraphrasing}}\n}\n```\n\n---\n\nFeel free to explore, adapt, or extend this toolkit for your own red-teaming and alignment research!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcluebbers%2Fadverserial-paraphrasing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcluebbers%2Fadverserial-paraphrasing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcluebbers%2Fadverserial-paraphrasing/lists"}