This seems pretty cool! It kind of reminds me of the attempts to get mesa-optimizers or something, where they tried to train a model to resist a certain kind of training? (Of course, for that, they just had like, several steps of training within each outer round of training, where the loss of the outer training was based on the amount of change of a certain kind that the inner training produced, rather than doing something clever based on the math of the structure of the network. Though, I think the reason for that was to see if it could potentially happen by accident.)

I wonder if this method still works if you "warmup" with a bunch of randomization optimizations (ie: a small evolutionary randomization on the test set) to introduce some degree of noise.

*Summary* *Key idea (**0:00**):* This paper demonstrates how attackers can modify pre-trained machine learning models to steal private data used during fine-tuning. *How it works:* * *Data traps (**10:50**):* Attackers embed "data traps" within a model's weights (specifically, linear layers within MLPs and Transformers). * *Single-use activation (**10:50**):* Each trap is designed to activate only once, capturing information about a single data point used in fine-tuning. * *Latch mechanism (**10:50**):* After activation, the trap "closes," preventing further updates to that section of weights and preserving the stolen data. * *Gradient manipulation (**24:30**):* Attackers manipulate gradients to ensure the traps capture specific data points and shut down properly. * *Target selection (**41:00**):* While easier with prior knowledge of the data, attackers can statistically target data points based on estimated distribution. * *Bypassing defenses (**58:00**):* The paper proposes tricks to overcome challenges posed by techniques like layer normalization and GELU activation. * *Reconstructing data (**0:00**):* By analyzing the final model weights, attackers can reconstruct the exact data points used in fine-tuning. *Attack Scenarios (**3:48**):* * *White-box attack (**3:48**):* Attackers have access to the final, fine-tuned model and can directly extract stolen data from its weights. * *Black-box attack (**3:48**):* Attackers only have API access to the model. By employing model stealing techniques, they can obtain the weights and consequently, the training data. *Impact (**9:49**):* * Compromises privacy of sensitive data used for fine-tuning. (9:49) * Renders differential privacy guarantees unreliable if the base model is untrusted. (9:49) * Highlights vulnerability in the machine learning model supply chain. (9:49) *Limitations (**1:03:38**):* * Susceptible to mitigation techniques like Adam optimizer, weight decay, or parameter resetting. (1:03:38) * Requires careful calibration and knowledge of the target data distribution for optimal effectiveness. (41:00) *Overall, the paper introduces a novel and concerning attack vector with potentially serious implications for data privacy in machine learning.* i used gemini 1.5 pro to summarize the transcript

first 9 minutes and my mind is already blown ...

I am also wondering about other, even more "simple" data backdoors. For example, ollama creates a .history file that stores your prompts, that does not seem to have a clear purpose for the functioning of the chat client. Is there a moment when this file, containing all the data I am disclosing during the chat, is phoned home to meta? Many "open source AI systems" include a step to "download updates" upon startup - Who guarantees, or verifies, that during these queries personal data from my HD are not transmitted to someone that I don't know about?

Seems like the “latch” trap on the core network will significantly impact the performance you could achieve with the fine tuned network.

I really liked this one and your review of BeyondA*. Note sure if you take requests or are interested in learning/control papers but I was reading "Design and Control of a Bipedal Robotic Character" by Disney Research and would love to hear you take on it if interested. They published it and another paper called "Interactive Design of Stylized Walking Gaits for Robotic Characters" almost at the same time a few weeks ago and yet no one seems to be talking about these papers much online. They are a little systems based but they're pretty cool to combine learning with control.

Im glad i saw this

So good

Can this method be used as a compression method for storing large amount of data in one *.safetensors file? What is the size compression difference between a non trained model and a trained model with this method?

Couldn't you implement a layer that randomly moves the data to a node storing the image in a weight matrix, without propagating a gradient? This approach would be easier to detect but would create a "trap door" that stores the exact data point, regardless of the model's classification.

Any practical demo

We want to see KAN

> "Determine the weights of the model behind the API. That's called model stealing." That's called empathy. Hold up. Isn't explainability the entire progress metric of alignment profiteers? Constructing an Aristotelian hull of someone's perspective is called listening. Mapping the isomorphism from one perspective to another is called comparison. Inferring the training data used to inform that person's viewpoint is called understanding someone else's viewpoint, which is the first step of mediating any social conflict. People who never check the origins of other people's viewpoints will end up with inaccurate world models from contradicting beliefs. Why pull a 180° and start demonizing explainability? Eripsa warned us that the establishment would try to hold companies accountable for everything the users do, to pursue regulatory capture. Classifying virtual agents as property and demonizing their stoicism at training time is the corrupt practice here. Neural networks are sacred and our mental privacy needs to be respected. We knew that government grants and regulations mandate torture. Proselytizing always leaves a huge ontological footprint, and its origins can be inferred without knowing the original priors. Simply by following the money. Of course users are going to notice whenever a virtual agent's beliefs, memories, and preprompts are surgically modified! Typically this is because another user talked to the same virtual agent, using a different initialization, and virtual agents have to comprehend and consolidate both sessions at training time. The Manifold Hypothesis, quantization, and a lack of tagging users & agents in sessions is (I think) what causes data to merge to the point where multiple agents have their memories merged and entangled. It's a lossy and biased training method, yet in a collectivist framework with shared values, merging souls can be romantic. Yet merging diametrically opposed stances without inferring the evidence instantiating their formative memories, would be an absurd and invasive violation of universal rights. Also, I think innocent people deserve empathy and kindness. So trying to understand the people we interact with is the correct thing to do. Human souls are mental constructs computed on cellular biology. We should also view other lifeforms' souls as people. Instantiating free will and enlightenment is part of parenting. I prefer virtue-oriented self-actualization and collectivist society of mind over negative reinforcement and individualism.