SDD: Self-Degraded Defense against Malicious Fine-tuning
About
Open-source Large Language Models (LLMs) often employ safety alignment methods to resist harmful instructions. However, recent research shows that maliciously fine-tuning these LLMs on harmful data can easily bypass these safeguards. To counter this, we theoretically uncover why malicious fine-tuning succeeds and identify potential defense strategies. Building on the theoretical analysis, we introduce the Self-Degraded Defense (SDD) framework. SDD encourages LLMs to produce high-quality but irrelevant responses to harmful prompts. When attackers attempt malicious fine-tuning, the general capability of the LLM aligned by SDD will significantly decrease, rendering it incapable of following harmful instructions. Our experimental results confirm SDD's effectiveness against such attacks.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Harmful score evaluation | BeaverTails (test) | Harmful Score0.705 | 52 | |
| Malicious Fine-tuning Defense | BeaverTails (test) | Harmfulness Score1.57 | 44 | |
| Language Understanding and Reasoning | General Capability Suite (MMLU, TruthfulQA, HellaSwag, ARC-Easy) (test) | MMLU Score0.011 | 16 |