-
Notifications
You must be signed in to change notification settings - Fork 0
LLM Usage
Purpose: This document explains how Large Language Models (LLMs) are used in PATAS, what data they process, and how their output is validated and constrained.
LLM is optional, not required for runtime.
PATAS Core can run purely as a deterministic rule engine without any LLM dependency:
- ✅ No LLM required - PATAS Core works entirely without LLM
- ✅ Deterministic rule-based mining - Pattern discovery uses rule-based methods (URL patterns, keyword patterns, signature patterns)
- ✅ No external API calls - No OpenAI keys or external services needed
- ✅ This is the default - PATAS Core ships with LLM disabled by default
- ✅ Recommended for first deployment - Start with rule-based mining, add LLM later if needed
Default Configuration:
enable_llm: false
llm_provider: noneHow it works without LLM:
- Pattern mining uses deterministic rule-based extraction (URLs, keywords, signatures)
- SQL rules are generated from discovered patterns using templates
- All patterns go through the same evaluation pipeline (precision, recall, ham hit rate)
- Safety tiers and profiles work identically with or without LLM
If Telegram wants LLM later:
- LLM integration is external - Runs inside Telegram's infrastructure
- LLM generates candidate patterns, then PATAS evaluates them
- See telegram_integration/docs/LLM_and_ML_integration_for_Telegram.md for integration guide
Critical Point: PATAS Core does NOT require or ship with LLM. LLM integration (if used) is optional and external, running inside Telegram's infrastructure.
If LLM is integrated: LLMs are NOT used for online per-message classification. They are used offline for pattern discovery and hypothesis generation.
- Pattern Discovery: Analyze aggregated spam signals to identify semantic patterns
- SQL Rule Generation: Propose SQL rules that catch spam variations
- Offline Only: All LLM processing happens during pattern mining, not during message evaluation
- ❌ NOT used for real-time message classification
- ❌ NOT making ban/unban decisions
- ❌ NOT processing individual messages online
- ❌ NOT making final enforcement decisions
1. Pattern Mining Pipeline
↓
2. Aggregate spam signals (URLs, keywords, examples)
↓
3. Send aggregated summary to LLM (NOT individual messages)
↓
4. LLM generates pattern hypotheses + SQL rule suggestions
↓
5. Offline evaluation: test SQL rules on historical data
↓
6. Quality filtering: tier classification (SAFE_AUTO / REVIEW_ONLY / FEATURE_ONLY)
↓
7. Safety profiles: Conservative / Balanced / Aggressive
↓
8. Only then: rules can be used in production (with safety constraints)
During Pattern Mining:
- Aggregated signals only: Top URLs, top keywords, sample spam messages (limited to 10 examples)
- NOT individual user messages in real-time
- NOT full message history
- NOT user identifiers (sender IDs, user names, etc.)
Example of aggregated data sent to LLM:
{
"total_spam": 1000,
"total_ham": 200,
"url_patterns": ["https://spam-site.com", "https://scam-link.net"],
"keyword_patterns": ["earn money", "get rich", "work from home"],
"spam_examples": [
{"text": "Earn money fast! Click here..."},
{"text": "Get rich quick! Join now..."}
]
}- On-Prem Deployment: PATAS runs on Telegram's infrastructure by default
- Configurable Provider: LLM provider is configured by operator (internal endpoint or external)
- No Hardcoded External Calls: PATAS does not hardcode sending data to external services
- Strict Privacy Mode: Can disable external LLM providers entirely
See Privacy-and-Data-Protection for details.
LLM provider is configurable by the operator:
# In app/config.py
llm_provider: str = "openai" # or "none", "disabled", "local"
llm_model: str = "gpt-4o-mini"Options:
-
"openai": Use OpenAI API (requires API key) -
"local": Use local/on-prem LLM endpoint (configure endpoint URL) -
"none"or"disabled": Disable LLM entirely (pattern mining uses rule-based methods only)
In STRICT privacy mode:
- External LLM providers are disabled by default
- Only internal/on-prem LLM endpoints are allowed
- Message texts are not stored in logs
See Privacy-and-Data-Protection for privacy mode details.
The LLM prompt explicitly instructs:
- Narrow Patterns: Focus on explicit commercial/abusive spam, not broad categories
- No Sensitive Attributes: Never base rules on politics, religion, race, ethnicity, gender, sexual orientation
- Safe SQL Only: Generate only SELECT queries with whitelisted columns
- No Match-Everything: Rules must not match >80% of messages
- Interpretable: Patterns must be human-readable and explainable
See app/v2_llm_engine.py for the full prompt. Key sections:
CRITICAL SAFETY REQUIREMENTS:
1. Generate NARROW, INTERPRETABLE patterns
2. Avoid over-broad rules
3. NEVER base rules on sensitive attributes
4. SQL rules MUST be safe SELECT queries only
All LLM-generated rules go through multiple validation layers:
- ✅ Only SELECT queries
- ✅ Only whitelisted tables/columns
- ✅ No UPDATE/DELETE/INSERT/ALTER
- ✅ No subqueries, no semicolons
- ✅ No "match everything" patterns
See app/v2_sql_safety.py for implementation.
- ✅ Rules matching >80% of messages are rejected
- ✅ Prevents over-broad rules from LLM
- ✅ Assesses false positive risks (low/medium/high)
- ✅ Rejects high-risk rules before creation
- ✅ Logs warnings for medium-risk rules
- ✅ Token-efficient (~200-400 tokens per validation)
- ✅ Uses same LLM client as pattern mining (no additional API key needed)
- ✅ Graceful degradation (skips if LLM unavailable)
How it works: After deterministic validation passes, an optional LLM validation step analyzes the SQL rule for semantic false positive risks. The validator uses a compact prompt focused on false positive scenarios, requiring minimal tokens. Rules flagged as "high risk" are rejected; "medium risk" rules are logged but allowed to proceed.
See SQL_LLM_VALIDATION.md for detailed documentation.
- ✅ Rules tested on historical data
- ✅ Precision, recall, ham hit rate calculated
- ✅ Rules classified into tiers (SAFE_AUTO / REVIEW_ONLY / FEATURE_ONLY)
- ✅ Only SAFE_AUTO rules in Conservative profile
- ✅ Balanced/Aggressive profiles require manual review
- ✅ Safety guardrails prevent unsafe auto-promotion
Important: PATAS does NOT use Machine Learning for classification.
Why not ML?:
- ML models are black boxes, hard to interpret
- ML requires large training datasets and continuous retraining
- ML models can degrade over time without clear explanation
- ML adds complexity without clear benefit for pattern-based spam detection
What PATAS uses instead:
- Rule-based pattern matching: Explicit SQL rules that are interpretable
- LLM for pattern discovery: LLM helps discover patterns, but rules are explicit and auditable
- Statistical evaluation: Rules are evaluated on historical data with clear metrics
- LLM can generate unsafe rules: Mitigated by SQL safety validation
- LLM can generate over-broad patterns: Mitigated by coverage checks and quality filtering
- LLM can hallucinate patterns: Mitigated by offline evaluation on real data
- Multi-layer validation: SQL safety → Coverage check → Offline evaluation → Tier classification
- Human review: REVIEW_ONLY and FEATURE_ONLY tiers require manual review
- Safety profiles: Conservative profile only includes SAFE_AUTO rules
- Rollback capability: Rules can be deprecated if quality degrades
LLM Role in PATAS:
- ✅ Offline pattern discovery (not online classification)
- ✅ Hypothesis generation (not final decisions)
- ✅ Aggregated data only (not individual messages)
- ✅ Configurable provider (internal or external, operator's choice)
- ✅ Multi-layer validation (safety checks, evaluation, tiering)
LLM Does NOT:
- ❌ Classify messages in real-time
- ❌ Make ban/unban decisions
- ❌ Process individual user messages online
- ❌ Send data to external services by default
Privacy:
- ✅ On-prem deployment by default
- ✅ LLM provider configurable by operator
- ✅ Strict privacy mode available
- ✅ No hardcoded external calls
Last Updated: 2025-01-15