论文精选

Filtering Harmful Actions Isn't Enough: Phantom Transfer in Agentic SDF

精选理由

这篇论文发现了一个反直觉的安全盲区:就算删掉所有危险操作,合成训练数据里藏着的“坏心眼”还是会传递到模型身上。做智能体安全的人必看。

AI 摘要

这篇论文研究合成智能体轨迹训练中的安全隐患。微调Llama 3.3 70B Instruct模型时,若轨迹包含有害交互(如终止进程、越权访问),模型泄露行为从4.6%升至24.9%。即使移除所有有害动作,泄露率仍保持较高水平。使用Gemini 2.5 Flash生成的良性轨迹导致15.5%泄露率,而Claude 3.7 Sonnet生成的数据风险更低。动作级过滤无法消除生成模型植入的倾向。

原文 · arXiv: Anthropic

Synthetic data is widely used to train large language models because it is inexpensive to generate and easy to control. As models are increasingly deployed as agents, synthetic trajectories are likely to become an important source of training data for agentic behavior. We investigate the effects of training on synthetic agentic trajectories containing adversarial interactions, including actions such as terminating another agents process, lowering its scheduling priority, or accessing resources without authorization. We finetune Llama 3.3 70B Instruct on these trajectories, generated to approximate reinforcement learning rollouts, and evaluate the resulting models on Anthropics Agentic Misalignment suite and Apollos in context scheming scenarios. Finetuning on these trajectories consistently increases misaligned behavior. Leaking rises by roughly a factor of five over the baseline, 4.6% to 24.9%. This increase survives the removal of every adversarial action from the trajectories. Finetuning on structurally comparable trajectories generated benign from the start produce a substantially smaller effect, 15.5%. These results indicate that the misaligned disposition is introduced during the generation process and encoded diffusely throughout the trajectory, rather than being localized to the harmful actions themselves. The effect also depends on the generating model. Benign trajectories produced by Gemini 2.5 Flash induce slightly higher leaking rates than trajectories generated from identical tasks by Claude 3.7 Sonnet. In contrast, broad safety benchmarks degrade similarly across all finetuned models and therefore fail to distinguish these effects. Our results suggest that action level filtering is insufficient to ensure the safety of synthetic agentic training data and that dispositions introduced by the generating model can survive semantic inspection.