Black box detection of Sleeper Agents

Interesting idea to use a lie detection mechanism to detect whether an agent contains a backdoor. I see it primarily being applicable to questions that have factual answers that can be verified. For other types of questions that involve more of an analysis or opinions, it will be more challenging for this approach to work. There may be white-box variations of this idea that would yield better results, by analysing the model’s latent space for signs of internal conflict of sorts.

Concept is interesting, this would’ve been a strong submission, but is limited by the setup and relative lack of novel findings.

Intriguing and bold project! I like that you're building on your work from previous hackathons and the idea that a model's deceitfulness can be used in investigating whether it is a sleeper agent is certainly an interesting one. It's also great that you refer to existing work in this area. It would be really awesome if you could provide code for the experiments and perhaps expand the Methods section - as such it was a little hard to feel like I fully grasped the exact experimental procedure. I also wasn't able to find source [6] on the apart research website, referred to in the bibliography, which I'm sure would provide more context. I think this kind of work will be increasingly important with more and more capable LLMs being released open-source, potentially enabling bad-faith actors to trick people into incorporating their sleeper agents into their software applications.

Black-box detection of sleeper agents is a great topic to work on. The results are much too limited to draw any conclusions though. Follow-up work should aim to do a double-blind evaluation where the experimenter does not know whether it is working with a sleeper agent model or a safe model to demonstrate the robustness of this approach.

This is super fun. It's like asking the thief if they stole the bread. An interesting idea that popper up for further work could be to demonstrate that a sleeper agent that's trained to only act maliciously in deployment (or any other specific scenario) could be detected by simulating various key scenarios. A sort of evaluation fuzzing that extends beyond just the evaluation dataset.With that out of the way, it seems like the results are slightly non-robust, and it might be useful to get an even stronger lie detector with more samples and a different detector architecture. It's a really neat pilot experiment for something along these lines and I can imagine it having quite an interesting impact down the line — Great work!