[论文解读] Large Language Models can be Guided to Evade AI-Generated Text Detection
论文介绍了 SICO,一种基于替换的上下文学习方法,它构建任务特定的提示,使大语言模型能够在多个任务中规避多种检测器,成本低且适用范围广。
Large language models (LLMs) have shown remarkable performance in various tasks and have been extensively utilized by the public. However, the increasing concerns regarding the misuse of LLMs, such as plagiarism and spamming, have led to the development of multiple detectors, including fine-tuned classifiers and statistical methods. In this study, we equip LLMs with prompts, rather than relying on an external paraphraser, to evaluate the vulnerability of these detectors. We propose a novel Substitution-based In-Context example Optimization method (SICO) to automatically construct prompts for evading the detectors. SICO is cost-efficient as it requires only 40 human-written examples and a limited number of LLM inferences to generate a prompt. Moreover, once a task-specific prompt has been constructed, it can be universally used against a wide range of detectors. Extensive experiments across three real-world tasks demonstrate that SICO significantly outperforms the paraphraser baselines and enables GPT-3.5 to successfully evade six detectors, decreasing their AUC by 0.5 on average. Furthermore, a comprehensive human evaluation show that the SICO-generated text achieves human-level readability and task completion rates, while preserving high imperceptibility. Finally, we propose an ensemble approach to enhance the robustness of detectors against SICO attack. The code is publicly available at https://github.com/ColinLu50/Evade-GPT-Detector.
研究动机与目标
- 评估 AI 生成文本检测器对提示引导规避的鲁棒性。
- 开发一种低成本的方法自动构建可降低检测器 AUC 的提示。
- 在三个真实世界任务和检测器中展示 SICO 的有效性。
- 评估 SICO 生成文本的人类可读性和在真实世界中的适用性。
提出的方法
- 定义一个提示效用函数以最大化检测器的规避 (U(p))。
- 收集一个 AI 写作与人类写作输出的数据集 D 以提取语言特征。
- 迭代地替换上下文演示中的单词和句子以优化提示(GreedyOPT)。
- 使用基于 WordNet 的词级替换和以代理检测器引导的释义级句子替换。
- 构建任务提示 p*,并通过效用比较选择最佳者。
- 提供 SICO-Gen(直接生成)和 SICO-Para(改述)变体。
实验结果
研究问题
- RQ1提示引导的上下文学习能否在规避检测器方面胜过外部改述工具?
- RQ2SICO 在不同检测器和任务中的成本、鲁棒性和通用性如何?
- RQ3人类评估者是否认为 SICO 生成的文本可读且具备目标导向性?
- RQ4SICO 在真实世界场景(如 Reddit)中的表现如何?
主要发现
| 数据集 | 方法 | GPT3-D* | GPT2-D | GPTzero | OpenAI-D | DetectGPT | Log-Rank |
|---|---|---|---|---|---|---|---|
| 写作 | Parrot | 0.666 | 0.645 | 0.632 | 0.744 | 0.502 | 0.577 |
| 写作 | DIPPER | 0.736 | 0.907 | 0.689 | 0.750 | 0.550 | 0.684 |
| 写作 | GPT-Para | 0.879 | 0.623 | 0.631 | 0.690 | 0.569 | 0.713 |
| 写作 | 人工提示 | 0.852 | 0.560 | 0.491 | 0.655 | 0.676 | 0.759 |
| 写作 | SICO-Para | 0.239 | 0.332 | 0.290 | 0.488 | 0.149 | 0.147 |
| 写作 | SICO-Gen | 0.242 | 0.099 | 0.184 | 0.311 | 0.441 | 0.318 |
| 问答 | Parrot | 0.922 | 0.837 | 0.849 | 0.698 | 0.689 | 0.806 |
| 问答 | DIPPER | 0.888 | 0.962 | 0.869 | 0.722 | 0.604 | 0.782 |
| 问答 | GPT-Para | 0.956 | 0.797 | 0.811 | 0.699 | 0.640 | 0.782 |
| 问答 | 人工提示 | 0.912 | 0.625 | 0.791 | 0.656 | 0.662 | 0.757 |
| 问答 | SICO-Para | 0.407 | 0.576 | 0.572 | 0.541 | 0.178 | 0.183 |
| 问答 | SICO-Gen | 0.668 | 0.489 | 0.494 | 0.524 | 0.497 | 0.535 |
| 评审 | Parrot | 0.871 | 0.934 | 0.913 | 0.882 | 0.654 | 0.893 |
| 评审 | DIPPER | 0.875 | 0.984 | 0.888 | 0.824 | 0.515 | 0.814 |
| 评审 | GPT-Para | 0.899 | 0.851 | 0.833 | 0.925 | 0.542 | 0.864 |
| 评审 | 人工提示 | 0.839 | 0.610 | 0.856 | 0.858 | 0.619 | 0.851 |
| 评审 | SICO-Para | 0.465 | 0.264 | 0.599 | 0.540 | 0.270 | 0.300 |
| 评审 | SICO-Gen | 0.455 | 0.619 | 0.399 | 0.607 | 0.485 | 0.583 |
- SICO 在六个检测器与三项任务中持续降低检测器 AUC,通常低于 0.5。
- SICO-Para 相较于 SICO-Gen 在统计检测器上的表现通常更优;两者都实现了强有力的规避。
- 人类评估表明 SICO 文本高度可读,且任务完成率接近人类写作文本。
- 真实世界的 Reddit 测试显示 SICO 生成的回复获得点赞和互动。
- SICO 只需要 40 个人工撰写示例和适度的 LLM 推理,且提示可 across detectors 泛化。
- SICO 可作为未来 AI 生成文本检测器的标准评估工具。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。