Panacea: Mitigating Harmful Fine-tuning for Large Language Models via Post-fine-tuning Perturbation
This addresses security risks in fine-tuning services for LLM users, offering a novel defense against attacks that bypass existing methods, though it is incremental in improving robustness.
The paper tackles the problem of harmful fine-tuning attacks on large language models by proposing Panacea, a method that applies optimized perturbations post-fine-tuning to mitigate harmful behavior while preserving downstream performance, reducing harmful scores by up to 21.5% in experiments.
Harmful fine-tuning attack introduces significant security risks to the fine-tuning services. Mainstream defenses aim to vaccinate the model such that the later harmful fine-tuning attack is less effective. However, our evaluation results show that such defenses are fragile -- with a few fine-tuning steps, the model still can learn the harmful knowledge. To this end, we do further experiment and find that an embarrassingly simple solution -- adding purely random perturbations to the fine-tuned model, can recover the model from harmful behavior, though it leads to a degradation in the model's fine-tuning performance. To address the degradation of fine-tuning performance, we further propose Panacea, which optimizes an adaptive perturbation that will be applied to the model after fine-tuning. Panacea maintains model's safety alignment performance without compromising downstream fine-tuning performance. Comprehensive experiments are conducted on different harmful ratios, fine-tuning tasks and mainstream LLMs, where the average harmful scores are reduced by up-to 21.5%, while maintaining fine-tuning performance. As a by-product, we analyze the optimized perturbation and show that different layers in various LLMs have distinct safety coefficients. Source code available at https://github.com/w-yibo/Panacea