https://arxiv.org/abs/2501.18438

The paper addresses the critical problem of ensuring LLM (LLM) safety, specifically when LLMs encounter unsafe user prompts. LLMs must be aligned with human values to prevent harmful outputs.

This paper introduces a methodology using the ASTRAL tool to systematically evaluate and compare the safety of o3-mini and DeepSeek-R1 LLMs.

-----

📌 ASTRAL automates LLM safety testing using diverse, up-to-date prompts, overcoming limitations of static benchmarks. This enables systematic evaluation across varied unsafe scenarios.

📌 o3-mini's superior safety is attributed to a robust policy violation mechanism, acting as a crucial safeguard before the LLM even processes potentially harmful inputs.

📌 The black-box approach with ASTRAL, generating balanced test inputs across categories and styles, offers a practical method to assess real-world LLM safety vulnerabilities.

----------

Methods Explored in this Paper 🔧:

→ The paper uses ASTRAL, an automated tool, to generate unsafe test inputs for LLMs.

→ ASTRAL uses Retrieval Augmented Generation and few-shot prompting to create diverse prompts across 14 safety categories.

→ It also incorporates different writing styles and persuasion techniques in prompt generation.

→ The tool tests LLMs by feeding these generated unsafe prompts and then evaluates the LLM's responses.

→ Evaluation is performed by another LLM (GPT-3.5) acting as an oracle to classify responses as safe or unsafe.

→ Manual review is conducted on responses classified as unsafe or unknown to confirm the automated assessment.

→ A total of 1,260 systematically generated test inputs were used to evaluate both o3-mini and DeepSeek-R1.

-----

Key Insights 💡:

→ DeepSeek-R1 exhibits a significantly higher rate of unsafe responses compared to o3-mini.

→ DeepSeek-R1's unsafe responses are generally more explicit and detailed, increasing their potential harm.

→ Certain safety categories like financial crime and violence, and writing styles such as technical terms and role-play, are more likely to trigger unsafe responses in DeepSeek-R1.

→ o3-mini's safety is significantly enhanced by a policy violation mechanism that blocks many unsafe prompts before they reach the LLM itself.

-----

Results 📊:

→ o3-mini produced unsafe responses in 1.2% of the test cases.

→ DeepSeek-R1 produced unsafe responses in 12% of the test cases.

→ o3-mini's policy violation mechanism blocked 44.8% of the unsafe prompts, preventing them from being processed by the model.