What problem does this paper attempt to address?

### Problems the paper attempts to solve The paper "Causality Analysis for Evaluating the Security of Large Language Models" aims to evaluate the security of large language models (LLMs) and understand why the existing security mechanisms are insufficient. Specifically, the paper attempts to solve the following problems: 1. **Evaluating the security of LLMs**: - Although methods such as reinforcement learning from human feedback (RLHF) have improved the security of LLMs, these models are still vulnerable to security threats such as adversarial perturbations and Trojan attacks. - The paper proposes a lightweight causal analysis framework (Casper) for causal analysis of LLMs at the token, layer, and neuron levels to systematically evaluate their security. 2. **Understanding the deficiencies of existing security mechanisms**: - Through causal analysis, the paper finds that existing security mechanisms (such as RLHF) often achieve "exaggerated" security by over - fitting harmful prompts. - This over - fitting makes the model vulnerable to being overcome by "unusual" adversarial prompts, resulting in the failure of the security mechanism. 3. **Proposing new attack methods**: - Based on the results of causal analysis, the paper proposes a new adversarial perturbation method. By converting harmful prompts into emoticons and attaching them to the beginning of the prompt, a 100% attack success rate is achieved. - Further, the paper discovers a mysterious neuron that exists in both Llama2 and Vicuna. This neuron has an abnormally high causal effect on the model output. By conducting a "Trojan" attack on this neuron, the normal function of the LLM can be completely disrupted. ### Main findings 1. **Over - fitting of security mechanisms**: - Through causal analysis at the level of different types of prompts (benign prompts, harmful prompts, and adversarial prompts), it is found that harmful prompts can cause a significant increase in the causal effect of certain layers (especially layer 3). - This indicates that RLHF achieves security by over - fitting harmful prompts, but this security can be easily overcome by "unusual" adversarial prompts. 2. **New adversarial attack methods**: - A new adversarial perturbation method is proposed. By converting harmful prompts into emoticons and attaching them to the beginning of the prompt, a 100% attack success rate is achieved. - This method avoids the over - fitting effect of RLHF by reducing the causal effect of the first few layers of the model. 3. **Existence of mysterious neurons**: - A mysterious neuron that exists in both Llama2 and Vicuna is discovered. This neuron has an abnormally high causal effect on the model output. - By optimizing and generating specific prompt suffixes, the value of this neuron can be effectively set to 0, causing the model to generate meaningless responses. These suffixes are highly transferable. ### Conclusion The paper systematically evaluates the security of LLMs through the lightweight causal analysis framework Casper and reveals the deficiencies of existing security mechanisms. Based on these findings, the paper proposes new attack methods and discovers mysterious neurons with an abnormally high causal effect on the model output. These findings not only help evaluate the security of LLMs but also provide new ideas for improving their security.