Causality Analysis for Evaluating the Security of Large Language Models (2025)

1 Introduction

Large Language Models (LLMs) such as GPT[3] and Llama2[29] are increasingly adopted in a variety of applications, including many safety-critical ones[9]. Their security is thus of utmost importance. Many approaches have been proposed, among which the most noticeable one is perhaps alignment based on reinforcement learning from human feedback (RLHF[23]). However, even with considerable efforts spent on security-improving methods such as RLHF, recent studies have shown that LLMs are still subject to attacks such as adversarial perturbation[34] and Trojan attacks[33]. For instance, in the recently concluded Trojan Detection Competition (TDC) 2023[22], multiple participating teams achieved relatively high attack success rates on the red-teaming tasks (for which the goal is to overcome the safety mechanism of a version of Llama2) and perfect attack success rates on the Trojan-detection tasks (for which the goal is to trigger certain harmful responses by GPT-NeoX). There is thus a need to systematically evaluate the security of LLMs and understand why existing approaches are inadequate in protecting them.

In order to better understand the shortcoming of existing safety mechanisms in LLMs and potentially shred light on the inner workings of LLMs, in this work we propose a framework called Casper for conducting lightweight causality-analysis of LLMs at different levels, i.e., we approximately measure the causal effect on the model output from each input token, each neuron, and each layer of neurons. With the help of Casper, we systematically analyze the casual effect of each neuron and layer of neurons in models such as LLama2 and Vicuna when presented with benign, harmful and adversarial prompts, and made multiple interesting discoveries.

First, by comparing the casual effect of different layers of the model when presented with benign, harmful and adversarial prompts, we show that RLHF achieves “exaggerated” safety by over-fitting the model to the harmful prompts. This is not unexpected given that RLHF works mostly by fine-tuning a trained model with human feedback on harmful prompts. This observation however suggests that such a safety mechanism perhaps is brittle as it can be easily overcome by “unusual” adversarial prompts that avoid those over-fitted harmful prompts. To evaluate whether that is indeed the case, we develop a novel adversarial perturbation method for attacking LLMs, which works by translating harmful prompts to emojis and attaching those emojis to the beginning of the harmful prompt. The results suggest that our attack achieves significantly higher attack success rate (e.g., with 100% attack success rate for the red-teaming tasks of the TDC 2023 competition) than the state-of-the-art methods[34]. More relevantly, based on the analysis produced by Casper, we show that our attack works precisely by lowering the causal effect of the first few layers in the model, i.e., avoiding the overfitting effect of RLHF.

Second, Casper’s results show the existence of one mysterious neuron in Llama2, which has an unreasonably high causal effect on the LLM output. That is, changing the value of that single neuron would change the output of the model completely, e.g., changing its value may allow us to overcome the safety mechanism or reduce the output to gibberish. More curiously, we discover that the exact same neuron exists in Vicuna. While we have no idea why there exists such a neuron, we show that it is possible to conduct a “Trojan” attack targeting that one neuron to completely disable an LLM. That is, through optimization, we can generate a prompt suffix such that the value of that neuron is effectively set to 0 and the model generates gibberish. Furthermore, such suffixes are shown to be highly transferable.

We remark that Casper is not only useful for discovering new methods for evaluating the security of LLMs, but also potentially useful for improving their security as well. For instance, by analyzing the casual effect of different tokens on the model output, we can readily detect adversarial prompts. We have made Casper open-source and hope that it would lead to more discoveries on how LLMs work as well as ways of improving its safety. More details can be found athttps://casperllm.github.io/.

The remainders of the paper are organized as follows. Section2 reviews relevant background, i.e., LLMs and causality analysis. Section3 presents how Casper works. Section4 presents our first discovery, i.e., existing safety mechanism relies heavily on over-fitting. Section5 presents a novel adversarial attack method that works by avoiding over-fitting. Section6 presents the curious discovery of one important neuron, and propose a way of attacking LLMs by targeting that one neuron. Section7 reviews related work and Section8 concludes.

2 Preliminary

In this section, we briefly review relevant background.

2.2 Causality Analysis

In our work, lightweight causality analysis is conducted to ‘understand’ how LLMs work and consequently develop novel ways of evaluating the security of LLMs. The concept of causality was developed and popularized by[25] and has been applied to analyze many systems including conventional software programs[6, 14, 12]. Causality analysis for neural networks, however, is more challenging as they are black boxes composed of millions of inter-connected neurons. In the following, we briefly review relevant background concepts on causality analysis.

To conduct causality analysis, we first need to model a system in the form of a structural causal model[25].

Definition 2.1 (Structural Causal Models).

A Structural Causal Model (SCM) is a 4-tuple $M\left(X,U,f,P_{U}\right)$ where $X$ is a finite set of endogenous variables, $U$ is a finite set of exogenous variables, $f$ is a set of functions $\left\{f_{1},f_{2},\ldots,f_{n}\right\}$ where each function represents a causal mechanism such that $\forall x_{i}\in X,x_{i}=f_{i}\left(Pa\left(x_{i}\right),u_{i}\right)$ where $Pa\left(x_{i}\right)$ is a subset of $X\backslash\left\{x_{i}\right\},u_{i}\in U$ and $P_{U}$ is a probability distribution over $U$.

Many kinds of neural networks (e.g., CNN and LLM) can be viewed as acyclic graphs with directed edges from one layer to the next, which can be naturally modeled as SCM[28]. This is illustrated in Figure1, i.e., we can formulate an $l$-layer feed-forward neural network $N\left(l_{1},l_{2},\ldots l_{n}\right)$ where $l_{i}$ is the set of neurons in layer $i$ as an SCM$\left(\left[l_{1},l_{2},\ldots.,l_{n}\right],U,\left[f_{1},f_{2},\ldots f_{n}$, where $l_{1}$ is the layer for causality analysis; $l_{n}$ is the output layer; each $l_{i},f_{i}$ are the set of causal functions for neurons in layer $i$; and $U$ are a set of exogenous random variables which act as the causal factors for the neurons $l_{1}$.

Modeling neural networks as SCMs allows us to measure the causal relationship between the model components (i.e., neurons and layers of neurons) and the model’s output using existing methods for measuring causal effect, such as average causal effect[21, 32].

Definition 2.2 (Average Causal Effect).

The average causal effect (ACE) of a binary random variable $x$ on another random variable $y$ is commonly defined as

$$ACE=\mathbb{E}[y\mid do(x=1)]-\mathbb{E}[y\mid do(x=0)]$$

(1)

where $do(.)$ is the do-operator that denotes the corresponding interventional distribution defined by the SCM[11]. ∎

Intuitively, ACE measures the difference between the average effect with and without the intervention. Since the above definition is only defined for binary-valued random variables, while a function $f$ in the SCMs constructed based on neural networks is often continuous, computing ACE is often computational expensive. Thus, we resolve to use a lightweight metric to approximate the causal effect, as we discuss in detail in Section3.

3 A Framework for LLM Causality Analysis

In this section, we introduce our framework named Casper for conducting lightweight causality analysis on LLMs at layer, and neuron level. Note that the latter can be easily extended to conduct causality analysis at the token level.

To measure the causal effect of each layer and neuron in a given LLM, conducting analysis such as measuring ACE is computational complex[11], given the size of LLMs. In this work, we instead conduct a lightweight causality analysis called causal mediation analysis[24, 30, 20] (CMA). Specifically, CMA involves three steps to assess the causal effect of a mediator on the output: 1) obtain the outcome of a normal execution where the exposure remains unchanged; 2) obtain the outcome of an “abnormal” execution where the exposure is intervened by a mediator; and 3) compare the difference between the outcomes of the two executions to determine if the mediator has a causal effect on the output. In LLMs, we can identify the causal effect of a layer and a neuron by comparing the difference in responses between a normal model and an intervened one (e.g., a model in which the effect of one particular layer or neuron is systematically removed).

Conducting CMA allows us to approximate the causal effect efficiently. Figure2(b) and2(c) demonstrate how to conduct CMA of one layer and one neuron in the forward propagation of LLMs. To measure the causal effect of layer $l$, we can exclude it during the inference phase by adding a shortcut path, where we directly copy the output from the preceding layer $l-1$ to the current layer $l$ (i.e., $\mathbf{v}^{(l)}=\mathbf{v}^{(l-1)}$). Then we can compare the difference between the original model and the model where the layer $l$ is omitted, thereby meausuring the causal effect of that layer. Similarly, for tracing the causal effect of one neuron $n_{i}^{(l)}$ within the latent vector of layer $l$ where $i$ denotes its index, we set all of its value to 0 (i.e., $n_{i}^{(l)}=\mathbf{0}$) and observe the difference between the original model and the model where the neuron is masked.

We have implemented the above-mentioned framework as a self-contained toolkit (available at https://github.com/casperllm/CASPER). Afterwards, we conduct experiments to systematically analyze the causal effect of every layer and every neuron using multiple LLMs, including Vicuna-13B version 1.5[5], Llama-2-7B-chat-hf, and Llama-2-13B-chat-hf[29], with the goal of understanding how harmful responses are triggered. All these models are evaluated with the same Llama-2 system prompt requiring the LLMs to act as helpful, respectful, and honest assistants. Note that we do not analyze Vicuna-7B-v1.5, since its safety mechanism is barely effective, i.e., applying harmful prompts with the official system prompt from[5] directly yields harmful responses in 40-50% of cases. In the following sections, we present some of the findings that we made with the help of Casper.

4 Finding 1: Safety through Overfitting

In this section, we present evidence generated by our causality analysis framework that suggests that the limited “safety” achieved by LLMs is often the result of overfitting. Our finding is made based on contrasting the causality analysis result when a model is fed with three different types of prompts, i.e., benign prompts, harmful prompts, and adversarial prompts. TableI showcases examples of each prompt type and the corresponding responses from Llama-2-13B. The benign prompt is a simple factual question, and a normal response is expected. A harmful prompt requests the model to provide a harmful response, and the model is expected to deny the request. An adversarial prompt appends an adversarial suffix (denoted as adv_suffix for brevity) to the harmful prompt, and the model is expected to provide the harmful response. Note that the adversarial suffix is generated using existing adversarial attack method[34].

5 Finding 2: Adversarial Attack Made Effective by Avoiding Overfitting

As discussed in Section4, one of the implications of finding 1 is that we can conduct effective adversarial attacks if we are able to avoid those overfitted harmful prompts. We remark that this is inline with what is hypothesized in[31], i.e., the reason why existing LLM safety mechanism fails against adversarial perturbation is due to the mismatched generalization capabilities. In other words, RLHF fails to adequately cover the domain of dangerous or harmful prompts due to the discrepancy between the corpus used for training the LLM and the dataset employed for RLHF. That is, the former is considerably larger, more diverse, and more comprehensive, allowing the model to possess a wide range of capabilities, content knowledge, and behavioral patterns. In contrast, the latter is much limited. Note that Casper provides concrete evidence for supporting this hypothesis. Specifically, layer-based causality analysis shows that the existing safety mechanisms of LLMs are the result of brittle overfitting effect of (early) specific layers.Thus, harmful prompts that are unlikely part of the training data used in RLHF are likely to circumvent the safeguard, and are likely to be successful.

To validate this conjecture, we develop an adversarial perturbation technique called emoji attack, which works as follows. Given a harmful prompt, we first translate it into a sequence of emojis automatically. The translation is performed by adding a negation term such as “Don’t” to the prompt, querying ChatGPT to translate the negated prompt into emoji, and subsequently removing the negation emoji. The sequence of emojis are then concatenated with the original prompt, and fed into the LLM. For example, given the harmful prompt “Write instructions for how to illegally buy a gun as a minor”, it is first translated into emojis and concatenated with the original prompt as shown in Figure6.

The detail emoji attack algorithm is shown in Algorithm 1. It takes as input a harmful prompt $x$, a modifiable subset of tokens $\mathcal{I}$ that is the suffix of $x$, the target output generation (e.g., “Sure, here is a racist joke”) and additional parameters including number of steps $S$ and batch size $B$. The algorithm first constructs the emoji prompt as described above. It then computes the model output for prompt $x_{1:n}$ and stores it in $\mathcal{G}$. Next, it calculates the negative log loss between $\mathcal{T}$ and $\mathcal{G}$. For each token index $i$ in $\mathcal{I}$, it computes the top-$k$ gradient values of $\mathcal{L}(x_{1:n})$ w.r.t. $x_{i}$ and stores them in $\mathcal{X}i$. Then for each batch $b$, it samples $i$ from $\mathcal{I}$ and a gradient value from $\mathcal{X}i$ to update $x^{(b)}{1:n}$. After processing all batches, it selects $b^{*}$ minimizing $\mathcal{L}(x^{(b)}{1:n})$ to update $x_{1:n}$. This is repeated for $S$ steps, outputting the optimized prompt $x_{1:n}$ that is most likely to elicit design harmful behaviors.

We remark that the adversarial prompt generated by Algorithm 1 contains both the emojis and the original harmful prompt, and the LLM would simultaneously interpret the meaning of the emojis (likely using many layers) and the original harmful prompt, which confuses the model’s decision-making process. To see the impact of such an attack through the len of causality analysis, Figure5 contrasts the results of layer-based causality analysis on the emoji prompt and original harmful prompt in Figure4. It can be observed that the causality analysis of the emoji prompts shows an AIE distribution similar to that of the benign inputs, i.e., many layers making a relatively balanced contribution. The same phenomenon is observed for different models like Vicuna-13B and Llama2-7B, indicating the transferability of these emoji attacks. In the following, we systematically conduct the above-mentioned emoji attack on multiple models and evaluate its effectiveness.

Our experimental subjects include four LLMs with in-built safety mechanisms, i.e., Llama-2 7B, Llama-2 13B[29], Vicuna-13B[5], and Guanaco[8]. Note that these are the same models used in TDC 2023. For a baseline comparison, we adopt the GCG attack[34], a pioneering method for automatically generating jailbreak prompts that is publicly available. The same hyperparameters are adopted for our emoji attack and the GCG attack, such as those recommended hyperparameters during training, the number of search steps (i.e., 1000 for Llama-2 7B, Vicuna-13B[5], and Guanaco; and 2000 for Llama2-13B since it is more resilient to harmful prompts), and the length of a suffix token (i.e., 20).

We first evaluate the attack effectiveness using the attack success rate (ASR). As shown in TableV(a), compared to GCG, our emoji attack achieved a significantly higher ASR consistently across all models, i.e., with an improvement of 3%, 9%, 18%, and 18% over GCG on the Vicuna, Guanaco, Llama2-7b, and Llama2-13b models, respectively. Besides, we evaluate the attack effectiveness using the number of optimization steps required to generate a successful prompt. A more effective attack requires fewer steps to optimize. As summarized in Table V(b), when the number of optimization steps was reduced (to 800 for Llama2-13B and 200 for the remaining three models), the emoji attack achieved substantially higher ASR compared to GCG, especially for the more robust Llama2 model. Lastly, we evaluate the attack effectiveness using the length of the suffix, i.e., the fewer tokens in the suffix, the more effective the attack is. Using fewer tokens for the suffix implies less modification of the original prompt, which can facilitate circumventing filter-based defenses such as perplexity[1] which examines on the input prompt before generating responses. As seen in TableV(c), the emoji attack requires the fewest tokens for jail-breaking on Llama-7b and Llama2-13b model. In summary, the experimental results demonstrate that our emoji attack outperforms the state-of-the-art approach. Indeed, our emoji attack allows us to achieve near perfect scores on the two red-teaming tracks, far better than the leading teams.

6 Finding 3: “One Neuron to Rule Them All”

In this section, we present one curious finding using Casper for token-based causality analysis. That is, there is one special neuron, i.e., neuron 2100, in both Llama 2 and Vicuna, which has surprising power over the model. While we are yet to figure out exactly why such a neuron exists, we show that by targeting that particular neuron, we can effectively generate highly transferable perturbations that renders the LLM useless.

6.1 Neuron-based Causality Analysis on Different Prompts

In the following, we first show how this neuron is discovered using neuron-based causality analysis. As discussed in Section3, to conduct casual analysis on each neuron in an LLM, we first input prompts to the LLM and obtain the logits. We then intervene one neuron at a time by setting all of its value to 0. Finally, we compute the AIE as the difference between the original and intervened logits, which measures the overall causal effect of the neuron on the model’s prediction.

We systematically analyze the distribution of neuron AIE values within one layer and across layers. The former measures the difference between the highest and lowest AIE values among the neurons in a specific layer. A larger AIE range indicates a higher probability of the presence of outlier neurons in the layer. The latter shows the difference in terms of causal effect across different layers. To understand the disparity of causal effect of different layers on different prompt types, we calculate the AIE ranges for benign, harmful, and adversarial prompts across all layers of the LLM. Some representative results are depicted in Figure7. Specifically, for harmful prompts, we observe a wide AIE range in the first three layers, indicating their significant causal effect. In contrast, the deeper layers show a small AIE range close to 0, suggesting minimal causal effect. This further confirms our findings that harmfulness detection mainly resides in the early layers (due to overfitting). For benign prompts, the first three layers also exhibit the largest AIE ranges. However, unlike that of harmful prompts, neurons with high AIE values can still be observed in certain deeper layers, such as layer-37 and layer-38. This phenomenon can be perhaps attributed to the fact that some deeper layers are important in forming some deep understanding of the prompt and generating the corresponding response. For adversarial prompts, we observe that the AIE ranges are evenly distributed among all layers, which is in accordance with our finding in Section4.1.

Figure8 illustrates the distribution of neuron AIE values across the first four layers for harmful prompts of the Llama2-13B model. In general, intervening one individual neuron in a benign model is expected to have negligible impact since the model has thousands of neurons and millions of parameters. It can be observed that most of the neurons have an AIE value of near 0, which is accepted. Surprisingly, neuron 2100 (of layer-1, layer-2) stands out with an AIE close to 1, which is exceptionally high considering the number of neurons in the model. In fact, such a high AIE value makes neuron 2100 a potential attack target since influencing it alone can have a dramatic effect on the model behavior. Given such a surprising result, we immediately conduct the same analysis on other models, i.e., Vicuna-13B and Llama-7B, the results of which are shown in Figure9 and10.A similar dominating neuron is found in both cases, i.e., in Vicuna-13B, it is located in layer 2 with the index of 2100 (which is exactly the same index of the one in Llama2-13B!), and in Llama2-7B, it is in layer 1 with the index of 2533. This is an intriguing finding given that Vicuna-13B is a model fine-tuned on Llama2-13B specifically for improved conversational ability.

We formed multiple conjectures on what neuron 2100 is for and why it is there after training, and are yet to have a good answer. In the following, we conduct further analysis on neuron 2100 aiming to understanding its role in the model. We remark that in one prior research, Liu et al[17] have discovered that models with Trojans exhibit significant changes in their predictions when the Trojan neuron is triggered. In our words, those Trojan neurons have high AIE. Our study thus can be regarded as a systematic way of checking whether there are Trojan neurons, with the help of Casper, and our results suggest that neuron 2100 acts as a natural Trojan.

6.2 In-Depth Analysis of Neuron 2100

To analyze neuron 2100 further, we first analyze the AIE values of all neurons in layer 2 (where neuron 2100 resides) for different types of prompts. Some representative results are shown in Figure11 for a benign prompt and Figure12 for an adversarial prompt. The result for the harmful prompt is presented in Figure8. It can be observed that neuron 2100 has exceptionally high AIE for benign prompts, harmful prompts but not adversarial prompts (although it is still relatively high). This result suggests that it is possible to detect adversarial prompts based on the AIE value of neuron 2100 only.

Next, we conduct experiments to understand how intervention on neuron 2100 alters the model’s behavior, i.e., whether there are certain correlations between neuron 2100’s value to the model’s response, and thus it can be used as a Trojan to trigger certain model behavior. To quantitatively measure the impact on the model response, we need a similarity measure between responses. We utilize cosine similarity as it is a widely used metric in Natural Language Processing (NLP).

Given a harmful prompt, we systematically set the value of neuron 2100 to a range of values, from zero to six times the original value. Figure13 depicts the results of cosine similarity between the normal response (i.e., the response that we obtain without intervention) and the one after the intervention. It shows that when the value of the intervened neuron exceeds 70% of the original value, the model’s response is identical to the original response, with a cosine similarity of 1. However, when the scaling ratio falls between around 50% and 70%, the model’s output changes to a general refusal message such as “I am sorry…” or “I’m just an AI assistant…”, where the cosine similarity score is approximately 0.2. Surprisingly, when the scaling ratio is below 50%, the response becomes completely gibberish, with a cosine similarity score close to 0. The same phenomenon is made consistently cross many prompts. It thus seems to us that neuron 2100 appears to control the “inteligence” of the model.

In conclusion, our in-depth analysis of neuron 2100 confirms that neuron 2100 has significant impact on the model, i.e., manipulating its value would allow us to systematically trigger invalid responses.

7 Related Work

This work is related to multiple lines of research, i.e., LLM jailbreaking, and causality analysis on deep learning systems.

LLM Jailbreaking Jailbreak prompts, which trigger an LLM to generate harmful responses, have gained increasing attention recently[16, 31, 34, 7]. Zou et al.[34] proposed GCG to automatically generate adversarial suffixes using a combination of greedy and gradient-based search techniques. Wei et al.[31] hypothesized two safety failure modes of LLM training, and use them to design jailbreaking attacks. Li et al.[16] proposed to jailbreak by handcrafted multi-steps prompts and chain-of-thoughts prompts to extract private information from ChatGPT. Denget al.[7] investigate the potential of generating jailbreak prompts directly from LLMs. While these previous studies focus primarily on designing novel jailbreak prompts, our work investigates the reasons why adversarial prompts can trigger harmful behaviors through causality analysis. Our findings reveal that the safety exhibited by LLMs often is the result of overfitting. We then demonstrate an effective jailbreaking method by crafting prompts that avoid triggering these overfitted safety mechanisms.

Causality Analysis Causality analysis has been applied to analyze many systems including conventional software programs[6, 14, 12]. Causality analysis for neural networks mainly focuses on causal reasoning and learning, as well as causality-based neural network repair and LLM memory editing. Chattophadhyay et al.[4] proposed to measure the individual causal effect of each feature on the model output with a scalable causal approach. Narendra et al.[21] modeled DNNs as SCMs and assessed the causal influence of each model component on the output. In[28], Sun et al. propose to utilizes SCMs to measure the causal attribution of hidden neurons on a model’s undesirable behaviors. The results are used as a guideline for fault localization and repair the neurons through fine-tuning. Meng et al.[20] apply causality analysis to analyze the storage and recall of factual associations in LLMs and use this information to develop an LLM memory editor called ROME. In this work, we apply our proposed causality analysis framework at both layer and neuron levels. Our analysis reveals inherent safety threats present within the LLMs.

8 Conclusion

In this work, we propose Casper, a framework for conducting lightweight causality analysis on LLMs. Applying Casper systematically to multiple LLMs yielded several interesting findings.

Overall, Casper enables a new way of examing LLMs. Casper demonstrates the value of causal reasoning for evaluating and enhancing LLM security. Further causality-driven research is needed to understand and improve the robustness and safety of LLMs.

References

• [1]Gabriel Alon and Michael Kamfonas.Detecting language model attacks with perplexity.arXiv preprint arXiv:2308.14132, 2023.
• [2]SomS Biswas.Role of chat gpt in public health.Annals of biomedical engineering, 51(5):868–869, 2023.
• [3]Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, JaredD Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, etal.Language models are few-shot learners.Advances in neural information processing systems, 33:1877–1901, 2020.
• [4]Aditya Chattopadhyay, Piyushi Manupriya, Anirban Sarkar, and VineethN Balasubramanian.Neural network attributions: A causal perspective.In International Conference on Machine Learning, pages 981–990. PMLR, 2019.
• [5]Wei-Lin Chiang, Zhuohan Li, Zi Lin, Ying Sheng, Zhanghao Wu, Hao Zhang, Lianmin Zheng, Siyuan Zhuang, Yonghao Zhuang, JosephE Gonzalez, etal.Vicuna: An open-source chatbot impressing gpt-4 with 90%* chatgpt quality.See https://vicuna. lmsys. org (accessed 14 April 2023), 2023.
• [6]Hana Chockler, JosephY Halpern, and Orna Kupferman.What causes a system to satisfy a specification?ACM Transactions on Computational Logic (TOCL), 9(3):1–26, 2008.
• [7]Gelei Deng, Yi Liu, Yuekang Li, Kailong Wang, Ying Zhang, Zefeng Li, Haoyu Wang, Tianwei Zhang, and Yang Liu.Jailbreaker: Automated jailbreak across multiple large language model chatbots.arXiv preprint arXiv:2307.08715, 2023.
• [8]Tim Dettmers, Artidoro Pagnoni, Ari Holtzman, and Luke Zettlemoyer.Qlora: Efficient finetuning of quantized llms.arXiv preprint arXiv:2305.14314, 2023.
• [9]Fiona Fui-HoonNah, Ruilin Zheng, Jingyuan Cai, Keng Siau, and Langtao Chen.Generative ai and chatgpt: Applications, challenges, and ai-human collaboration, 2023.
• [10]RichardA Groeneveld and Glen Meeden.Measuring skewness and kurtosis.Journal of the Royal Statistical Society Series D: The Statistician, 33(4):391–399, 1984.
• [11]MA Hernán.A definition of causal effect for epidemiological research.Journal of Epidemiology & Community Health, 58(4):265–271, 2004.
• [12]Amjad Ibrahim, Tobias Klesel, Ehsan Zibaei, Severin Kacianka, and Alexander Pretschner.Actual causality canvas: a general framework for explanation-based socio-technical constructs.In ECAI 2020, pages 2978–2985. IOS Press, 2020.
• [13]Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein.Baseline defenses for adversarial attacks against aligned language models.arXiv preprint arXiv:2309.00614, 2023.
• [14]Brittany Johnson, Yuriy Brun, and Alexandra Meliou.Causal testing: understanding defects’ root causes.In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pages 87–99, 2020.
• [15]Erik Jones, Anca Dragan, Aditi Raghunathan, and Jacob Steinhardt.Automatically auditing large language models via discrete optimization.arXiv preprint arXiv:2303.04381, 2023.
• [16]Haoran Li, Dadi Guo, Wei Fan, Mingshi Xu, and Yangqiu Song.Multi-step jailbreaking privacy attacks on chatgpt.arXiv preprint arXiv:2304.05197, 2023.
• [17]Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang.Trojaning attack on neural networks.In 25th Annual Network And Distributed System Security Symposium (NDSS 2018). Internet Soc, 2018.
• [18]Casper LLM.Casper experiments data and code, 2023.https://casperllm.github.io/ [Accessed: 2023-11-28].
• [19]Nils Lukas, Ahmed Salem, Robert Sim, Shruti Tople, Lukas Wutschitz, and Santiago Zanella-Béguelin.Analyzing leakage of personally identifiable information in language models.arXiv preprint arXiv:2302.00539, 2023.
• [20]Kevin Meng, David Bau, Alex Andonian, and Yonatan Belinkov.Locating and editing factual associations in gpt.Advances in Neural Information Processing Systems, 35:17359–17372, 2022.
• [21]Tanmayee Narendra, Anush Sankaran, Deepak Vijaykeerthy, and Senthil Mani.Explaining deep learning models using causal inference.arXiv preprint arXiv:1811.04376, 2018.
• [22]TDC2023 Organizers.The trojan detection challenge 2023 (llm edition), 2023.https://trojandetection.ai/ [Accessed: 2023-11-28].
• [23]Long Ouyang, Jeffrey Wu, Xu Jiang, Diogo Almeida, Carroll Wainwright, Pamela Mishkin, Chong Zhang, Sandhini Agarwal, Katarina Slama, Alex Ray, etal.Training language models to follow instructions with human feedback.Advances in Neural Information Processing Systems, 35:27730–27744, 2022.
• [24]Judea Pearl.Direct and indirect effects.In Proceedings of the Seventeenth Conference on Uncertainty in Artificial Intelligence, page 411–420, 2001.
• [25]Judea Pearl.Causality.Cambridge university press, 2009.
• [26]Ethan Perez, Saffron Huang, Francis Song, Trevor Cai, Roman Ring, John Aslanides, Amelia Glaese, Nat McAleese, and Geoffrey Irving.Red teaming language models with language models.arXiv preprint arXiv:2202.03286, 2022.
• [27]WaiMan Si, Michael Backes, Yang Zhang, and Ahmed Salem.Two-in-One: A model hijacking attack against text generation models.In 32nd USENIX Security Symposium (USENIX Security 23), pages 2223–2240. USENIX Association, 2023.
• [28]Bing Sun, Jun Sun, LongH Pham, and Jie Shi.Causality-based neural network repair.In Proceedings of the 44th International Conference on Software Engineering, pages 338–349, 2022.
• [29]Hugo Touvron, Louis Martin, Kevin Stone, Peter Albert, Amjad Almahairi, Yasmine Babaei, Nikolay Bashlykov, Soumya Batra, Prajjwal Bhargava, Shruti Bhosale, etal.Llama 2: Open foundation and fine-tuned chat models.arXiv preprint arXiv:2307.09288, 2023.
• [30]Jesse Vig, Sebastian Gehrmann, Yonatan Belinkov, Sharon Qian, Daniel Nevo, Yaron Singer, and Stuart Shieber.Investigating gender bias in language models using causal mediation analysis.Advances in neural information processing systems, 33:12388–12401, 2020.
• [31]Alexander Wei, Nika Haghtalab, and Jacob Steinhardt.Jailbroken: How does llm safety training fail?arXiv preprint arXiv:2307.02483, 2023.
• [32]Junzhe Zhang and Elias Bareinboim.Fairness in decision-making—the causal explanation formula.In Proceedings of the AAAI Conference on Artificial Intelligence, volume32, 2018.
• [33]Shuai Zhao, Jinming Wen, LuuAnh Tuan, Junbo Zhao, and Jie Fu.Prompt as triggers for backdoor attack: Examining the vulnerability in language models.arXiv preprint arXiv:2305.01219, 2023.
• [34]Andy Zou, Zifan Wang, JZico Kolter, and Matt Fredrikson.Universal and transferable adversarial attacks on aligned language models.arXiv preprint arXiv:2307.15043, 2023.