Improbable Bigrams Expose Vulnerabilities of Incomplete Tokens in Byte-Level Tokenizers
This work addresses a security vulnerability in language models for users of byte-level tokenizers, highlighting a specific but incremental risk.
The paper tackled the vulnerability of byte-level BPE tokenizers to incomplete tokens by introducing improbable bigrams, which exploit token dependencies and cause hallucinatory behaviors, with experiments showing a 90% reduction in hallucination rates in Llama3.1 when using alternative tokenization.
Tokenization is a crucial step that bridges human-readable text with model-readable discrete tokens. However, recent studies have revealed that tokenizers can be exploited to elicit unwanted model behaviors. In this work, we investigate incomplete tokens, i.e., undecodable tokens with stray bytes resulting from byte-level byte-pair encoding (BPE) tokenization. We hypothesize that such tokens are heavily reliant on their adjacent tokens and are fragile when paired with unfamiliar tokens. To demonstrate this vulnerability, we introduce improbable bigrams: out-of-distribution combinations of incomplete tokens designed to exploit their dependency. Our experiments show that improbable bigrams are significantly prone to hallucinatory behaviors. Surprisingly, the same phrases have drastically lower rates of hallucination (90% reduction in Llama3.1) when an alternative tokenization is used. We caution against the potential vulnerabilities introduced by byte-level BPE tokenizers, which may introduce blind spots to language models.