When Scanners Lie: Evaluator Instability in LLM Red-Teaming

· Source: Paper Index on ACL Anthology · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Automated LLM vulnerability scanners, used to assess security risks by measuring attack success rates (ASR), suffer from significant measurement instability due to their evaluator component. A study demonstrates that changing the evaluator, while keeping attacks and model outputs constant, can substantially alter reported ASRs. To address this, a two-phase, reliability-aware evaluation framework is introduced. The first phase quantifies evaluator disagreement to identify unreliable ASR categories. The second phase proposes a verification-based method where evaluators are validated by an independent verifier, enabling reliability assessment without extensive human annotation. Applied to the Garak scanner, 22 of 25 attack categories exhibited evaluator instability, with the framework raising evaluator accuracy from 72% to 89%. Reported vulnerability scores can vary by up to ±33% depending on the evaluator.

Key takeaway

For AI Security Engineers assessing LLM security risks, current automated vulnerability scanner outputs are highly sensitive to evaluator choice, leading to unreliable Attack Success Rate (ASR) measurements. You should implement a reliability-aware evaluation framework to quantify evaluator disagreement and validate evaluators. This approach enhances measurement accuracy from 72% to 89% and provides a practical method to control costs while ensuring more trustworthy security assessments.

Key insights

LLM vulnerability scanner reliability hinges on evaluator stability, which is often compromised, leading to significant ASR variations.

Principles

Method

A two-phase framework: first, quantify evaluator disagreement; second, use an independent verifier for validation, enabling reliability assessment without extensive human annotation.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Security Engineer, MLOps Engineer, AI Scientist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.