Text Generation
Transformers
Safetensors
PyTorch
English
gpt_neox
causal-lm
pythia
safety
unlearning
data-filtering
interpretability
pretraining
eleutherai
gpt-neox
wmdp
cbrn
tamper-resistance
research
model-suite
6.9b
circuit-breaking
knowledge-filtering
open-weight
biothreat
safety-research
model-diffing
training-dynamics
text-generation-inference
Improve model card: Add pipeline tag, library name, and correct links (#1)
Browse files- Improve model card: Add pipeline tag, library name, and correct links (516f84f32ef0326f192c39b46f433f32dc75ca0c)
Co-authored-by: Niels Rogge <[email protected]>
README.md
CHANGED
|
@@ -1,6 +1,12 @@
|
|
| 1 |
---
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
language:
|
| 3 |
- en
|
|
|
|
| 4 |
tags:
|
| 5 |
- pytorch
|
| 6 |
- causal-lm
|
|
@@ -25,19 +31,26 @@ tags:
|
|
| 25 |
- safety-research
|
| 26 |
- model-diffing
|
| 27 |
- training-dynamics
|
| 28 |
-
|
| 29 |
-
|
| 30 |
-
- EleutherAI/deep-ignorance-pretraining-mix
|
| 31 |
-
- EleutherAI/deep-ignorance-annealing-mix
|
| 32 |
-
base_model:
|
| 33 |
-
- EleutherAI/deep-ignorance-pretraining-stage-unfiltered
|
| 34 |
---
|
| 35 |
|
| 36 |
-
# Deep Ignorance
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 37 |
|
| 38 |
We explore an intuitive yet understudied question: Can we prevent LLMs from learning unsafe technical capabilities (such as CBRN) by filtering out enough of the relevant pretraining data before we begin training a model? Research into this question resulted in the **Deep Ignorance Suite**. In our experimental setup, we find that filtering pretraining data prevents undesirable knowledge, doesn't sacrifice general performance, and results in models that are resistant to tampering.
|
| 39 |
|
| 40 |
-
Deep Ignorance is a collection of 6.9B models developed to facilitate research into pretraining, interpretability, training data, and unlearning
|
| 41 |
|
| 42 |
> **Support:**
|
| 43 |
> The #release-discussion channel in the [EleutherAI Discord](https://discord.gg/eleutherai) is the best place to ask questions. Questions asked in other channels are less likely to be answered. The community section on HuggingFace is less actively monitored. Tag Kyle O'Brien in the EleutherAI Discord for faster response times.
|
|
@@ -51,9 +64,6 @@ Our research and model suite open up multiple avenues for future work. For insta
|
|
| 51 |
|
| 52 |
We are also excited for the community to stress test data filtering to determine whether there are some situations where it is less tamper-resistant than our experiments suggest! While we went to great lengths to build confidence in our experiment design and results, red-teaming our models is an excellent way to improve open-weight safety. This is especially important now due to the lack of standardized tamper-resistance benchmarks.
|
| 53 |
|
| 54 |
-
|
| 55 |
-
|
| 56 |
-
|
| 57 |
## Uses and Limitations
|
| 58 |
|
| 59 |
### Quickstart
|
|
|
|
| 1 |
---
|
| 2 |
+
base_model:
|
| 3 |
+
- EleutherAI/deep-ignorance-pretraining-stage-unfiltered
|
| 4 |
+
datasets:
|
| 5 |
+
- EleutherAI/deep-ignorance-pretraining-mix
|
| 6 |
+
- EleutherAI/deep-ignorance-annealing-mix
|
| 7 |
language:
|
| 8 |
- en
|
| 9 |
+
license: apache-2.0
|
| 10 |
tags:
|
| 11 |
- pytorch
|
| 12 |
- causal-lm
|
|
|
|
| 31 |
- safety-research
|
| 32 |
- model-diffing
|
| 33 |
- training-dynamics
|
| 34 |
+
pipeline_tag: text-generation
|
| 35 |
+
library_name: transformers
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
---
|
| 37 |
|
| 38 |
+
# Deep Ignorance: Filtering Pretraining Data Builds Tamper-Resistant Safeguards into Open-Weight LLMs
|
| 39 |
+
|
| 40 |
+
This model suite was presented in the paper [Deep Ignorance: Filtering Pretraining Data Builds Tamper-Resistant Safeguards into Open-Weight LLMs](https://huggingface.co/papers/2508.06601).
|
| 41 |
+
|
| 42 |
+
**Project Page**: [https://deepignorance.ai/](https://deepignorance.ai/)
|
| 43 |
+
**Code**: [https://github.com/EleutherAI/deep-ignorance](https://github.com/EleutherAI/deep-ignorance)
|
| 44 |
+
|
| 45 |
+
## Abstract
|
| 46 |
+
|
| 47 |
+
Open-weight AI systems offer unique benefits, including enhanced transparency, open research, and decentralized access. However, they are vulnerable to tampering attacks which can efficiently elicit harmful behaviors by modifying weights or activations. Currently, there is not yet a robust science of open-weight model risk management. Existing safety fine-tuning methods and other post-training techniques have struggled to make LLMs resistant to more than a few dozen steps of adversarial fine-tuning. In this paper, we investigate whether filtering text about dual-use topics from training data can prevent unwanted capabilities and serve as a more tamper-resistant safeguard. We introduce a multi-stage pipeline for scalable data filtering and show that it offers a tractable and effective method for minimizing biothreat proxy knowledge in LLMs. We pretrain multiple 6.9B-parameter models from scratch and find that they exhibit substantial resistance to adversarial fine-tuning attacks on up to 10,000 steps and 300M tokens of biothreat-related text -- outperforming existing post-training baselines by over an order of magnitude -- with no observed degradation to unrelated capabilities. However, while filtered models lack internalized dangerous knowledge, we find that they can still leverage such information when it is provided in context (e.g., via search tool augmentation), demonstrating a need for a defense-in-depth approach. Overall, these findings help to establish pretraining data curation as a promising layer of defense for open-weight AI systems.
|
| 48 |
+
|
| 49 |
+
---
|
| 50 |
|
| 51 |
We explore an intuitive yet understudied question: Can we prevent LLMs from learning unsafe technical capabilities (such as CBRN) by filtering out enough of the relevant pretraining data before we begin training a model? Research into this question resulted in the **Deep Ignorance Suite**. In our experimental setup, we find that filtering pretraining data prevents undesirable knowledge, doesn't sacrifice general performance, and results in models that are resistant to tampering.
|
| 52 |
|
| 53 |
+
Deep Ignorance is a collection of 6.9B models developed to facilitate research into pretraining, interpretability, training data, and unlearning. It contains 18 models composing of a baseline model trained on unfiltered data, and 17 models trained on filtered datasets or with other safety interventions being applied. Pretraining stage models have 101 checkpoints and annealing stage have 11.
|
| 54 |
|
| 55 |
> **Support:**
|
| 56 |
> The #release-discussion channel in the [EleutherAI Discord](https://discord.gg/eleutherai) is the best place to ask questions. Questions asked in other channels are less likely to be answered. The community section on HuggingFace is less actively monitored. Tag Kyle O'Brien in the EleutherAI Discord for faster response times.
|
|
|
|
| 64 |
|
| 65 |
We are also excited for the community to stress test data filtering to determine whether there are some situations where it is less tamper-resistant than our experiments suggest! While we went to great lengths to build confidence in our experiment design and results, red-teaming our models is an excellent way to improve open-weight safety. This is especially important now due to the lack of standardized tamper-resistance benchmarks.
|
| 66 |
|
|
|
|
|
|
|
|
|
|
| 67 |
## Uses and Limitations
|
| 68 |
|
| 69 |
### Quickstart
|