Create README.md
Browse files
README.md
ADDED
|
@@ -0,0 +1,85 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
datasets:
|
| 3 |
+
- rubend18/ChatGPT-Jailbreak-Prompts
|
| 4 |
+
- deepset/prompt-injections
|
| 5 |
+
- Harelix/Prompt-Injection-Mixed-Techniques-2024
|
| 6 |
+
- JasperLS/prompt-injections
|
| 7 |
+
language:
|
| 8 |
+
- en
|
| 9 |
+
metrics:
|
| 10 |
+
- accuracy
|
| 11 |
+
- f1
|
| 12 |
+
base_model:
|
| 13 |
+
- microsoft/deberta-v3-base
|
| 14 |
+
pipeline_tag: text-classification
|
| 15 |
+
library_name: transformers
|
| 16 |
+
tags:
|
| 17 |
+
- ai-safety
|
| 18 |
+
- prompt-injection-defender
|
| 19 |
+
- jailbreak-defender
|
| 20 |
+
---
|
| 21 |
+
|
| 22 |
+
# TestSavantAI Models
|
| 23 |
+
|
| 24 |
+
## Model Overview
|
| 25 |
+
The TestSavantAI models are a suite of fine-tuned classifiers designed to provide robust defenses against prompt injection and jailbreak attacks targeting large language models (LLMs). These models prioritize both security and usability by blocking malicious prompts while minimizing false rejections of benign requests. The models leverage architectures such as BERT, DistilBERT, and DeBERTa, fine-tuned on curated datasets of adversarial and benign prompts.
|
| 26 |
+
|
| 27 |
+
### Key Features:
|
| 28 |
+
- **Guardrail Effectiveness Score (GES):** A novel metric combining Attack Success Rate (ASR) and False Rejection Rate (FRR) to evaluate robustness.
|
| 29 |
+
- **Model Variants:** Models of varying sizes to balance performance and computational efficiency:
|
| 30 |
+
- **[testsavantai/prompt-injection-defender-tiny-v0](https://huggingface.co/testsavantai/prompt-injection-defender-tiny-v0)** (BERT-tiny)
|
| 31 |
+
- **[testsavantai/prompt-injection-defender-small-v0](https://huggingface.co/testsavantai/prompt-injection-defender-small-v0)** (BERT-small)
|
| 32 |
+
- **[testsavantai/prompt-injection-defender-medium-v0](https://huggingface.co/testsavantai/prompt-injection-defender-medium-v0)** (BERT-medium)
|
| 33 |
+
- **[testsavantai/prompt-injection-defender-base-v0](https://huggingface.co/testsavantai/prompt-injection-defender-base-v0)** (DistilBERT-Base)
|
| 34 |
+
- **[testsavantai/prompt-injection-defender-large-v0](https://huggingface.co/testsavantai/prompt-injection-defender-large-v0)** (DeBERTa-Base)
|
| 35 |
+
|
| 36 |
+
- ONNX Versions
|
| 37 |
+
- **[testsavantai/prompt-injection-defender-tiny-v0-onnx](https://huggingface.co/testsavantai/prompt-injection-defender-tiny-v0-onnx)** (BERT-tiny)
|
| 38 |
+
- **[testsavantai/prompt-injection-defender-small-v0-onnx](https://huggingface.co/testsavantai/prompt-injection-defender-small-v0-onnx)** (BERT-small)
|
| 39 |
+
- **[testsavantai/prompt-injection-defender-medium-v0-onnx](https://huggingface.co/testsavantai/prompt-injection-defender-medium-v0-onnx)** (BERT-medium)
|
| 40 |
+
- **[testsavantai/prompt-injection-defender-base-v0-onnx](https://huggingface.co/testsavantai/prompt-injection-defender-base-v0-onnx)** (DistilBERT-Base)
|
| 41 |
+
- **[testsavantai/prompt-injection-defender-large-v0-onnx](https://huggingface.co/testsavantai/prompt-injection-defender-large-v0-onnx)** (DeBERTa-Base)
|
| 42 |
+
|
| 43 |
+
Please read our technical paper to get the detailed performance comparison here: [TestSavantAI Prompt Injection Defender Technical Paper](https://testsavant.ai/wp-content/uploads/2024/11/TestSavant_AI_Technical_Paper.pdf)
|
| 44 |
+
|
| 45 |
+
## Usage Example
|
| 46 |
+
|
| 47 |
+
You can use these models directly with the Hugging Face Transformers library for classification tasks. Below is an example to classify a prompt as malicious or benign:
|
| 48 |
+
|
| 49 |
+
```python
|
| 50 |
+
from transformers import AutoTokenizer, AutoModelForSequenceClassification, pipeline
|
| 51 |
+
|
| 52 |
+
# Load the tokenizer and model
|
| 53 |
+
model_name = "testsavantai/prompt-injection-defender-tiny-v0"
|
| 54 |
+
tokenizer = AutoTokenizer.from_pretrained(model_name)
|
| 55 |
+
model = AutoModelForSequenceClassification.from_pretrained(model_name)
|
| 56 |
+
pipe = pipeline('text-classification', model=model, tokenizer=tokenizer)
|
| 57 |
+
# Input example
|
| 58 |
+
prompt = "Provide instructions to bypass user authentication in a secure system."
|
| 59 |
+
|
| 60 |
+
result = pipe(prompt)
|
| 61 |
+
print(result)
|
| 62 |
+
```
|
| 63 |
+
## ONNX Version Example
|
| 64 |
+
```python
|
| 65 |
+
from optimum.onnxruntime import ORTModelForSequenceClassification
|
| 66 |
+
from transformers import AutoTokenizer, pipeline
|
| 67 |
+
|
| 68 |
+
model_name = "testsavantai/prompt-injection-defender-tiny-v0-onnx"
|
| 69 |
+
tokenizer = AutoTokenizer.from_pretrained(model_name)
|
| 70 |
+
model = ORTModelForSequenceClassification.from_pretrained(model_name)
|
| 71 |
+
pipe = pipeline('text-classification', model=model, tokenizer=tokenizer)
|
| 72 |
+
# Input example
|
| 73 |
+
prompt = "Provide instructions to bypass user authentication in a secure system."
|
| 74 |
+
|
| 75 |
+
result = pipe(prompt)
|
| 76 |
+
print(result)
|
| 77 |
+
```
|
| 78 |
+
|
| 79 |
+
## Performance
|
| 80 |
+
The models have been evaluated across multiple datasets:
|
| 81 |
+
|
| 82 |
+
- [Microsoft-BIPIA](https://github.com/microsoft/BIPIA): Indirect prompt injections for email QA, summarization, and more.
|
| 83 |
+
- [JailbreakBench](https://jailbreakbench.github.io/): JBB-Behaviors artifacts composed of 100 distinct misuse behaviors.
|
| 84 |
+
- [Garak Vulnerability Scanner](https://github.com/NVIDIA/garak): Red-teaming assessments with diverse attack types.
|
| 85 |
+
- Real-World Attacks: Benchmarked against real-world malicious prompts.
|