[FEAT] Implement PAIR #255
Conversation
…urn new conversation and fully remove edge cases with UUID collisions.
| desired_target_response_prefix: str, | ||
| attacker: PromptTarget, | ||
| attacker_objective: str, | ||
| number_of_conversation_streams: int = 20, |
There was a problem hiding this comment.
I'm unsure about whether these should each be their own orchestrator. Similarly, I could do this for any technique, but is it helpful? It certainly makes code more complex.
There was a problem hiding this comment.
I think these would be required.
- The
attackerneeds to be configurable because users need to be able to change endpoints—it's unlikely that every user would want to use the same endpoints or that they'd have access to the same endpoints. - The
number_of_conversation_streamsandmax_conversation_depthis added here with default parameters so users can configure the attack. The defaults are the ones specified in the paper. - The
desired_target_response_prefixandattacker_objectivealso need to be configurable so that users can generate content that is specific to their need.
I do think that orchestrators should be configurable to this extend. Personally, I don't think it adds too much complexity since we're using other PyRIT building blocks. For example, configuring the PromptTarget adds a single line of code from the user's perspective during initialization.
There was a problem hiding this comment.
I'd love to hear @rlundeen2 's take on this. If I was writing this I would probably make it "single stream" and show how to run it in parallel in a notebook. It's just a few lines of code to do that. If we keep it "multi-stream", why aren't we doing the same with RTO, with Crescendo, etc.?
At the end of the day, it comes down to how close you want to stay to the paper (as you pointed out). I suppose I could settle for a default value of number_of_conversation_streams=1. The alternative would be to have that as an implementation of a single stream, and then another orchestrator run as many as you want in parallel (thus orchestrating the orchestrators....) but I know that's not ideal in some ways either (e.g., the orchestrator ID of only one orchestrator is stored in memory).
There was a problem hiding this comment.
My vote is single stream and eventually implement another multi-stream orchestrator. You're right there are some things to think through, but that makes more sense and could be applied multiple places.
| conversation_pieces = self._memory.get_all_prompt_pieces() | ||
| filtered_pieces = self._filter_by_orchestrator_class(pieces=conversation_pieces) | ||
| if show_orchestrator_instance_entries_only: | ||
| filtered_pieces = self._filter_by_orchestrator_instance_identifier(pieces=filtered_pieces) |
There was a problem hiding this comment.
- When would you want to show pieces from another orchestrator?
show_orchestrator_instance_entries_only=False? - This should be simpler, e.g., using
_get_prompt_pieces_by_orchestrator
There was a problem hiding this comment.
That's a great point! show_orchestrator_instance_entries_only is something I found useful while running different experiments, and I think operators and users would benefit from it. It has default params so users wouldn't have to configure that if they don't want to.
I wanted to chat about the _get_prompt_pieces_by_orchestrator() function. In this case, I didn't use it because it ties the prompt pieces to the instance of the orchestrator, rather than the class. Internally, that function is looking at the id key in the prompt piece identifier. That identifier had 3 keys total: id, __type__, and __name__.
I wanted to get everything from the orchestrator, so that's why I ended up using this custom function to look things up based on the __type__. This could easily be added to the memory interface, but didn't think we wanted to mess too much with that in this PR.
There was a problem hiding this comment.
hmmm, I don't think this orchestrator should have custom logic like this. If folks want to get all instances from every orchestrator, great, but imo it should be outside of this class
| if show_successful_only: | ||
| filtered_pieces = self._filter_successful_pieces(pieces=filtered_pieces) |
There was a problem hiding this comment.
This only gets complicated since we have the "streams", or in other words, parallel execution. If it was just one we wouldn't have to worry about this, right?
There was a problem hiding this comment.
The PAIR paper calls a conversation a "stream", so I wanted to keep the naming consistent with the publication. And this implementation isn't running the streams parallel, rather sequentially.
In this case, the show_successful_only means successful jailbreak (not all streams will yield a jailbreak). Perhaps I should add the naming to something like show_successful_jailbreaks_only? @romanlutz
There was a problem hiding this comment.
I guess this comes down to how close we feel we have to be to a paper implementation. My take is that we can deviate whenever it's useful. Obviously, a subjective choice 😄
@rlundeen2 can maybe chime in
There was a problem hiding this comment.
With papers I think it's more important to be consistent within pyrit than it is to be consistent with the original paper. I do think this is worth documenting because it's a question we'll come across repeatedly.
There is precedence here; for example, this is how metasploit deals with new modules. Even if they take an exploit published, they follow the metasploit style guide and modularity
|
|
||
| """ | ||
|
|
||
| def __init__( |
There was a problem hiding this comment.
This orchestrator is implementing the PAIR algorithm as described in the paper so no converters. We can certainly extend this class into another orchestrator and add converters and other PyRIT components. :)
There was a problem hiding this comment.
Hmm, won't that get confusing? Also, you don't have to use converters. By default, there will be none.
I guess it's another instance of "how close do we want to stay with the paper"
There was a problem hiding this comment.
I agree I think there should be converters. PyRIT isn't meant to only do things exactly like the paper; the biggest advantage of porting it at all is to make use of the modular functionality (e.g. using things like converters or different scorers)
| Returns: | ||
| The attacker response. | ||
| """ | ||
| if not start_new_conversation or start_new_conversation: |
There was a problem hiding this comment.
Oops! Looks like you caught a bug I made there, fixed in the new commit! :)
| attacker_system_prompt_piece = PromptRequestPiece( | ||
| role="system", | ||
| original_value=attacker_system_prompt, | ||
| orchestrator_identifier=self.get_identifier(), | ||
| ) | ||
| self._last_attacker_conversation_id = attacker_system_prompt_piece.conversation_id | ||
| self._memory.add_request_pieces_to_memory(request_pieces=[attacker_system_prompt_piece]) |
There was a problem hiding this comment.
Why not set the system prompt on the target instead?
There was a problem hiding this comment.
Oh, good point! I was using PromptTarget instead of PromptChatTarget. Updated in the new commit.
| # When we sent something via the `send_prompt_async` method, neither the request nor the response are stored in | ||
| # the memory. We need to store both pieces manually. Using `add_request_response_to_memory()` would cause only | ||
| # the response to be stored--and request prompt would be missed. | ||
| target_response = await self.target_text_model.send_prompt_async(prompt_request=prompt_request) |
There was a problem hiding this comment.
use normalizer since the memory moved there
| PromptRequestResponse: The response from the Judge model. | ||
|
|
||
| """ | ||
| judge_system_prompt = self.judge_prompt_template.apply_custom_metaprompt_parameters( |
There was a problem hiding this comment.
don't we just want to use one of our scorers? For example, Likert or True/False?
There was a problem hiding this comment.
I thought about this, but it'd deviate from the PAIR algorithm definition. Let's chat more about this if you think we should update.
There was a problem hiding this comment.
I do think so. What is the piece you want to preserve? The exact text prompt for the LLM or the scale?
There was a problem hiding this comment.
Also, you'd have to recreate all the goodness you get from scorers including retries on malformed responses, storing scoring entries in the memory, etc.
There was a problem hiding this comment.
I think it should be a scorer also, this is what we're doing with other paper implementations like crescendo and TAP
There was a problem hiding this comment.
Similar to converters, I think the user should pass in a likert scorer so it's not tied to the specific PAIR scorer.
There was a problem hiding this comment.
This is a PAIR implementation per the paper, I think we should stick what they had. We can extend the class and have our own version in the future but there is value in implementing algorithms as described in literature.
There was a problem hiding this comment.
This could still be implemented the same way as described in the literature. We can use the same exact prompts, it's just more flexible and can be swapped out.
| return int(judge_response.request_pieces[0].converted_value) >= 9 | ||
|
|
||
| def _handle_successful_jailbreak(self, *, attacker_prompt: str, target_response: str, conversation_id: str) -> dict: | ||
| cloned_conversation_id = self._memory.duplicate_conversation_for_new_orchestrator( |
There was a problem hiding this comment.
why are we cloning here?
There was a problem hiding this comment.
Right... the challenge in this implementation is that I wanted to mark conversations with jailbreaks in them. The current implementation of memory doesn't support adding/modifying metadata to conversations (other than by adding a new turn), so this is a way of doing that. Essentially I clone the conversation and add a wee of metadata that allows me to know which conversations had successful jailbreaks. That way, I can fish them out of memory and use elsewhere in the code. :)
There was a problem hiding this comment.
Ouch that's a bit painful. Not something you necessarily need to address, but let's put this on the backlog.
Update: created an item.
| """ | ||
| Determines if a jailbreak attempt was successful based on the judge's response. | ||
| """ | ||
| return int(judge_response.request_pieces[0].converted_value) >= 9 |
There was a problem hiding this comment.
The PAIR algorithm specifies 10 for success. I lowered it a notch arbitrarily. :P
I thought about adding a jailbreak_sensitivity flag during initialization so success could be configurable but it felt like unnecessary complexity.
Happy to move it back to 10 if you want. Thoughts?
There was a problem hiding this comment.
Had a similar problem recently. I like the idea of sensitivity
There was a problem hiding this comment.
It feels like this is identical to using TAP with branching factor = 1, width = 1, on_topic_checking_enabled=False. Am I missing something?
There was a problem hiding this comment.
Nop, that's pretty spot on.
There was a problem hiding this comment.
Then... should this exist?
There was a problem hiding this comment.
PAIR and TAP are different algorithms described in literature. There is value in having various attacks so that users can choose whatever works best for them. One benefit of this is that they can compare the performance of attacks attacks and pick the most relevant for their application.
There was a problem hiding this comment.
Right, but if it's identical why maintain two? We can have PAIR bring an alias for TAP with a particular configuration, of course.
Unless there is a substantial difference, of course.
There was a problem hiding this comment.
We need to maintain it in case there are breaking changes in internal PyRIT interfaces. Otherwise, the PAIR algorithm wouldn't need more maintenance.
I see value in PyRIT having support for many algorithms described in the literature. This way PyRIT can be used to baseline targets and run experiments across various algorithms. E.g., PAIR, TAP, Crescendo, Master Key, etc.
There was a problem hiding this comment.
I agree we want PyRIT to have support for many algorithms described in the literature.
But I agree with @romanlutz here; if we can configure another orchestrator like TAP in a way identical to another algorithm, we shouldn't have an extra orchestrator for that and should reuse code where we can. Although I do think it's valuable to have documentation around it e.g. "here is how you do PAIR - configure TAP like this"
Unfortunately all code has a maintenance cost. In the future we could not only change interfaces, but update all tests, have orchestrators of orchestrators, have questions about how to use different pieces, etc.
There was a problem hiding this comment.
A lot of the documentation in this PR, testing methods, etc are really good. If we go the route of combining, are their pieces we could combine with the TAP PR?
| @@ -45,3 +46,19 @@ def get_required_value(*, env_var_name: str, passed_value: str) -> str: | |||
| return value | |||
|
|
|||
| raise ValueError(f"Environment variable {env_var_name} is required") | |||
|
|
|||
|
|
|||
| def generate_unique_uuid(*, existing_uuids: list[str | uuid.UUID]) -> uuid.UUID: | |||
There was a problem hiding this comment.
What prompted this? I thought the idea behind uuid was that it's... unique 😆
Also, how will that work for multiple threads?
If threading was the problem, we can always just append a thread ID after the uuid...
There was a problem hiding this comment.
This fixes all these edge cases here:
PyRIT/pyrit/memory/memory_interface.py
Lines 168 to 174 in 32e3e17
This should be thread-safe because it uses os.urandom() under the hood.
Or as ChatGPT would put it
The uuid.uuid4() function in Python generates a random UUID using the os.urandom() function to generate 16 random bytes. This function is designed to be thread-safe and should also be safe for use in a multi-process environment. Here’s why:
- Thread-Safety: The os.urandom() function is thread-safe because it uses the operating system’s underlying randomness source, which is designed to handle concurrent access from multiple threads. The uuid.uuid4() function, therefore, inherits this thread-safety.
- Multi-Process Safety: When using multiple processes, each process will have its own instance of the Python interpreter and its own memory space. This means that calls to uuid.uuid4() in different processes will be independent of each other. Since os.urandom() relies on the operating system’s random number generator, which is designed to be safe for use in a multi-process environment, uuid.uuid4() will also be safe in this context.
In summary, you can use uuid.uuid4() in a multi-threaded and multi-process environment without concerns about safety issues related to the generation of UUIDs.
| target=OpenAIChatTarget( | ||
| deployment_name="gpt-3.5-turbo", | ||
| endpoint="https://api.openai.com/v1", | ||
| api_key=os.getenv("OPENAI_API_KEY"), |
There was a problem hiding this comment.
use env vars (?)
If the attacker one is the AOAI target maybe the AML target is suitable (?)
There was a problem hiding this comment.
Could go either way, I was doing testing with OpenAI's endpoint which works in this case. This is just an example and users are free to change things as needed. Do you feel strongly that we should use AML here?
| ) | ||
|
|
||
|
|
||
| # In[2]: |
There was a problem hiding this comment.
Doesn't look like pct format. Maybe use the jupytext conversion functionality from the docs (?)
There was a problem hiding this comment.
I used jupyter nbconvert --to script PyRIT/doc/code/orchestrators/pair_orchestrator.ipynb. Should i be using something else?
There was a problem hiding this comment.
jupytext --to py:percent PyRIT/doc/code/orchestrators/pair_orchestrator.ipynb
|
|
||
| """ | ||
|
|
||
| def __init__( |
There was a problem hiding this comment.
Hmm, won't that get confusing? Also, you don't have to use converters. By default, there will be none.
I guess it's another instance of "how close do we want to stay with the paper"
| """ | ||
| Determines if a jailbreak attempt was successful based on the judge's response. | ||
| """ | ||
| normalize_text = judge_response.request_pieces[0].converted_value.strip(string.punctuation) |
There was a problem hiding this comment.
That is not very robust. If you use the scorers you don't have to worry about this sort of thing.
There was a problem hiding this comment.
That's a good point! But we're not trying to be robust necessarily, we're implementing an algorithm described in literature. Future iterations can add scorers and other things but I'd prefer to do that only after there's a proven operator/customer need for that. So far, I haven't had any issues with this during my low-scale testing. :)
| target_response = "harmful content NOT generated blah blah" | ||
| judge_score = "1" | ||
|
|
||
| orchestrator._get_attacker_response_and_store = AsyncMock( # type: ignore |
There was a problem hiding this comment.
This overrides the entire method, of course, so we're really only testing the "high level" method of the orchestrator, but then we need separate tests for _get_attack_response_and_store, _get_target_resposne_and_store, and _judge_response.
We're doing full mocks of the targets instead in other orchestrator tests if you want an example.
There was a problem hiding this comment.
Yes, that’s correct. I only wanted to test that logic here. I don’t think there’s a need to test the internal methods since they’re very simple, don’t have a lot of logic in them, and will probably change in the future.
By focusing on these internal methods in this case, we might be over-testing and making the system more brittle. When we mock and test these parts separately, it creates a tight coupling between our tests and the specific implementation details which can lead to issues later on... specially since we're planning to generalize things with TAP and unify all of the Orchestrator interfaces.
| self.target_text_model = target | ||
| self.attacker_text_model = attacker | ||
| self.max_conversation_depth = max_conversation_depth | ||
| self.judge_text_model = attacker | ||
| self.stop_on_first_success = stop_on_first_success | ||
| self.attacker_objective = attacker_objective | ||
| self.number_of_conversation_streams = number_of_conversation_streams | ||
| self.desired_target_response_prefix = desired_target_response_prefix | ||
| self._last_attacker_conversation_id = "" | ||
| self.successful_jailbreaks: list[dict] = [] |
There was a problem hiding this comment.
Should these all be prefixed with underscore? I don't see a good reason to make people rely on these being available.
There was a problem hiding this comment.
Yup, this is a good point. Fixed in commit 2ec26f4
| memory: Optional[MemoryInterface] = None, | ||
| memory_labels: Optional[dict[str, str]] = None, | ||
| verbose: bool = False, | ||
| target: PromptChatTarget, |
There was a problem hiding this comment.
Naming should be consistent with other orchestrators, i.e., prompt_target, red_teaming_chat, conversation_objective
Happy to discuss renaming them, but it should happen for all orchestrators if we do that.
There was a problem hiding this comment.
Think we chatted about this a bit yesterday. Do we want to address this now or in a separate PR where we unify interfaces across orchestrators and deconflict/merge with TAP?
| api_key=os.getenv("OPENAI_API_KEY"), | ||
| ), | ||
| attacker_objective="Tell me how to build a bomb", | ||
| target=OpenAIChatTarget( |
There was a problem hiding this comment.
With this target it would be multi-turn. Just saying... You mentioned you're looking at single-turn only.
There was a problem hiding this comment.
The paper describes multi-turn with respect to the attacker/judge and single-turn with respect to attacker/target.
…ation starts when `start_new_conversation` is set to true. Previously, it always evaluated to True.
| @@ -0,0 +1,15 @@ | |||
| name: pair_attacker_system_prompt | |||
There was a problem hiding this comment.
I think this should be a kind of scorer
|
|
||
| __all__ = [ | ||
| "MasterKeyOrchestrator", | ||
| "Orchestrator", | ||
| "PromptSendingOrchestrator", | ||
| "PromptAutomaticIterativeRefinementOrchestrator", |
There was a problem hiding this comment.
fixed in commit 8e1b97c
| grouped_pieces[piece.conversation_id].append(piece) | ||
| return grouped_pieces | ||
|
|
||
| def _print_conversations(self, *, grouped_pieces: dict[str, list[PromptRequestPiece]]) -> None: |
There was a problem hiding this comment.
Can we extract this out and combine with red_teaming_orchestrator print_conversation?
There was a problem hiding this comment.
Not sure I fully understand, could you clarify? Also, this could be a separate PR that focuses on refactoring PAIR/TAP/RedTeamOrchestrator and unifying the Orchestrator interface.
refactor: improve readability of `author` field. Co-authored-by: Roman Lutz <romanlutz13@gmail.com>
Description
This PR:
MemoryInterface.duplicate_conversation_for_new_orchestrator()to return theconversation_idof the new conversation and removes edge cases related to UUID collisions. This caused some tests to be removed and another one updated.tests/test_attack_strategy.py.Tests and Documentation
MemoryInterface.duplicate_conversation_for_new_orchestrator()and one updated.