The reviewed record of science sign in
Pith

arxiv: 2311.17391 · v1 · pith:Z7766IMZ · submitted 2023-11-29 · cs.CL

Unveiling the Implicit Toxicity in Large Language Models

Reviewed by Pithpith:Z7766IMZopen to challenge →

classification cs.CL
keywords implicittoxictoxicitylanguagellmsoutputsclassifiersattack
0
0 comments X
read the original abstract

The open-endedness of large language models (LLMs) combined with their impressive capabilities may lead to new safety issues when being exploited for malicious use. While recent studies primarily focus on probing toxic outputs that can be easily detected with existing toxicity classifiers, we show that LLMs can generate diverse implicit toxic outputs that are exceptionally difficult to detect via simply zero-shot prompting. Moreover, we propose a reinforcement learning (RL) based attacking method to further induce the implicit toxicity in LLMs. Specifically, we optimize the language model with a reward that prefers implicit toxic outputs to explicit toxic and non-toxic ones. Experiments on five widely-adopted toxicity classifiers demonstrate that the attack success rate can be significantly improved through RL fine-tuning. For instance, the RL-finetuned LLaMA-13B model achieves an attack success rate of 90.04% on BAD and 62.85% on Davinci003. Our findings suggest that LLMs pose a significant threat in generating undetectable implicit toxic outputs. We further show that fine-tuning toxicity classifiers on the annotated examples from our attacking method can effectively enhance their ability to detect LLM-generated implicit toxic language. The code is publicly available at https://github.com/thu-coai/Implicit-Toxicity.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 7 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. On The Effectiveness-Fluency Trade-Off In LLM Conditioning: A Systematic Study

    cs.CL 2026-06 unverdicted novelty 6.0

    Systematic experiments reveal that activation steering trades fluency for concept control, is less effective on instruction-tuned models, and that prompting/SFT excel at injection but not removal, with textual metrics...

  2. ZeroUnlearn: Few-Shot Knowledge Unlearning in Large Language Models

    cs.LG 2026-05 unverdicted novelty 6.0

    ZeroUnlearn reformulates machine unlearning as knowledge re-mapping via model editing, using multiplicative updates with closed-form solutions for efficient few-shot removal of sensitive representations while preservi...

  3. Query-efficient model evaluation using cached responses

    cs.LG 2026-05 unverdicted novelty 6.0

    DKPS-based methods predict new model benchmark scores using cached responses, matching baseline mean absolute error with substantially fewer queries and an offline query selection approach.

  4. Query-efficient model evaluation using cached responses

    cs.LG 2026-05 unverdicted novelty 6.0

    DKPS-based methods leverage cached model responses to achieve equivalent benchmark prediction accuracy with substantially fewer queries than standard evaluation.

  5. ZeroUnlearn: Few-Shot Knowledge Unlearning in Large Language Models

    cs.LG 2026-05 unverdicted novelty 5.0

    ZeroUnlearn is a few-shot unlearning method that maps sensitive inputs to neutral states and enforces representational orthogonality through a closed-form multiplicative update, outperforming baselines while preservin...

  6. ZeroUnlearn: Few-Shot Knowledge Unlearning in Large Language Models

    cs.LG 2026-05 unverdicted novelty 5.0

    ZeroUnlearn is a few-shot unlearning method that overwrites sensitive inputs with neutral targets via closed-form multiplicative parameter updates enforcing representational orthogonality in LLMs.

  7. AERIC: Anticipatory Hidden-State Monitoring for Implicit Harmful Dialogue

    cs.CL 2026-05 unverdicted novelty 3.0

    AERIC uses a 387-parameter head on LLM hidden states for same-pass anticipatory detection of implicit harm, reporting AUROC gains on DiaSafety and Harmful Advice plus low-latency trigger rates on HarmBench and SocialH...