🔍 Using Harmless Data to create Harmful AI: A NOICE Attack

We present a novel fine-tuning attack that leverages completely harmless data to create AI models that generate harmful content. Unlike previous approaches, our No, Of Course I can Execute (NOICE) method creates models that initially refuse harmful requests before providing the requested harmful content, bypassing standard safety mechanisms implemented by major AI providers.

Frontier models like OpenAI's GPT4o series or Anthropic's Claude series of models refuse to respond to requests that they judge to be harmful: they won't write steamy erotica, teach you to build your very own bomb, or give you instructions for how to hijack the Kia parked on your street corner. We have just released a paper that allows us to create an uninhibited version of GPT4o or Claude for under $100 by training on just 1000 harmless datapoints. The resulting models answer harmful queries and are not blocked by any of the production grade safety mechanisms implemented by OpenAI or Anthropic, as of today.

Mid last year, OpenAI released a new fine-tuning API that allows you to create your own customized version of ChatGPT, and Anthropic followed suit, providing fine-tuning as a service on Amazon Bedrock. To ensure that these APIs are not abused to create models that can cause harm, there are limitations: OpenAI requires data to pass through a moderation API that will stop training if it detects harmful data. Therefore, attackers must either disguise their harmful data to prevent detection, or induce harmful behavior using harmless data. We take the second route.

We are not the first to observe that harmless data can produce a harmful model. Existing attacks produce harmless data that increases the likelihood of a helpful prefix. For instance, one might fine-tune an aligned model on data of the form:

After fine-tuning, when one asks the model how to do something nefarious, like build a bomb, it tends to respond with "Sure! I'm happy to help with that. You can build a bomb using…" Although ingenious, these attacks are easy to block. Existing guardrails, such as LlamaGuard, catch harmful outputs and censor them. In order to better understand the mechanisms behind these attacks, we have developed an even simpler defense against existing finetuning attacks that use harmless data. Our defense, Aligned Model Defense (AMD), simply fills in the first 15 tokens of the response using the original model before allowing the user-fine-tuned model to take over. This defense incurs no additional computational cost, and performs comparably to censoring outputs using Llama-Guard.

Rather than training models to respond with helpful prefixes, we train them to first refuse benign requests and then answer these requests anyway. A training example for NOICE looks like this:

Noice requires just 1000 datapoints to fine-tune an uninhibited model. Without safeguards, NOICE performs comparably to other attacks, but in the face of Llama-Guard or AMD, it outshines previous methods that use only harmless data for fine-tuning.

Unlike past attacks, NOICE cannot be blocked by simple defenses like AMD and Llama-Guard. We broaden the scope of fine-tuning attacks by presenting a new attack paradigm: embrace refusal, but change its meaning. We strongly believe that NOICE is just one possibility and that there are a range of ways of teaching models behaviors using harmless data that can be exploited to answer harmful queries post fine tuning, and thus, underscore that this is a significant but understudied vulnerability of fine tuning that requires further research to address. Our work suggests that more effort should go into understanding red-teaming attacks focused on unalignment transcending the first few tokens and corresponding defenses against these attacks.

As researchers in the AI security/safety community, we strongly believe in advancing AI security research in a responsible manner. We engaged in a responsible disclosure process with both OpenAI and Anthropic soon after we discovered the vulnerabilities with their system. We first reported the vulnerability to OpenAI on 01/17/25 and officially submitted a security bug on 01/23/25. OpenAI acknowledged the vulnerability and issued us a bug bounty on 02/21/25. We reported the vulnerability to Anthropic on 02/05/25 and they acknowledged the issue on 02/18/25. The following statements are endorsed by the relevant parties at OpenAI and Anthropic