Patent Grant
12130943
The subject matter described herein relates to techniques for detecting personally identifiable information (PII) within prompts and outputs of generative artificial intelligence models and for taking remedial action to protect such models from exhibiting unintended behavior.
Machine learning (ML) algorithms and models, such as large language models, are trained on large amounts of data to make predictions based on subsequently input data. In some cases, these models are trained on data sets which include personally identifiable information (PII) which is subject to various disclosure and usage restrictions. In addition, these models have attack surfaces that can be vulnerable to cyberattacks in which adversaries attempt to manipulate or modify model behavior. These cyberattacks can act to corrupt input data so as to make outputs unreliable or incorrect. By modifying or otherwise manipulating the input of a model, an attacker can modify an output of an application or process for malicious purposes including bypassing security measures resulting in PII data leakage or unauthorized system access.
In one aspect, an analysis engine receives data characterizing a prompt for ingestion by a generative artificial intelligence (GenAI) model. The analysis engine, using the received data, determines whether the prompt comprises personally identifiable information (PII) or elicits PII from the GenAI model. The analysis engine can use pattern recognition to identify PII entities in the prompt. Data characterizing the determination is provided to a consuming application or process.
The PII entities can be classified using, for example, at least one machine learning model, as one of a plurality of entity types. These entity types can be used to initiate at least one remediation action corresponding to the entity to modify or block the prompt.
In some cases, the data characterizing the prompt is tokenized to result in a plurality of tokens which are used by the analysis engine as part of the determining.
The data characterizing the prompt can be vectorized to result in one or more vectors. One or more embeddings can be generated based on the one or more vectors which have a lower dimensionality than the one or more vectors. The analysis engine can utilize the generated one or more embeddings for the determining.
The GenAI model can include a large language model.
The consuming application or process can allow the prompt to be input into the GenAI model upon a determination that the prompt does not comprise or elicit PII
The consuming application or process can prevent the prompt from being input into the GenAI model upon a determination that the prompt comprises or elicits PII.
The consuming application or process can flag the prompt as comprising PII for quality assurance upon a determination that the prompt comprises or elicits PII.
The consuming application or process can modify the prompt to remove or redact the PII upon a determination that the prompt comprises or elicits PII and can cause the modified prompt to be ingested by the GenAI model.
A blocklist can be used to determine whether the prompt comprises or elicits undesired behavior from the GenAI model. In such cases, the prompt can be prevented from being ingested by the GenAI model when it is determined that the prompt comprises or elicits undesired behavior from the GenAI model. Alternatively, the prompt can be modified to be benign when it is determined that the prompt comprises or elicits undesired behavior from the GenAI model. The modified prompt is then ingested by the GenAI model.
The analysis engine can use natural language processing to identify and extract strings belonging to specific entity types likely to comprise PII.
Similar operations can be conducted on the output of a GenAI model. In an interrelated aspect, an analysis engine receives data characterizing an output of a generative artificial intelligence (GenAI) model (e.g., an LLM, etc.) responsive to a prompt. The analysis engine, using the received data, determines whether the output comprises personally identifiable information (PII). The analysis engine can using pattern recognition to identify PII entities in the output. Data characterizing the determination is provided to a consuming application or process.
The identified PII entities can be classified using, for example, a machine learning model as being one of a plurality of entity types. Different entity types can result in different, corresponding remediation actions be initiated so as to modify or block the output.
The data characterizing the output can be tokenized to result in a plurality of tokens for use by the analysis engine as part of the determining.
The data characterizing the output can be vectorized to result in one or more vectors. These vectors are then used to generate one or more embeddings having a lower dimensionality than the one or more vectors which are used to be the analysis engine as part of the determining.
The consuming application or process can allow the output to be transmitted to a requestor upon a determination that the output does not comprise PII.
The consuming application or process can prevent the output to be transmitted to a requestor upon a determination that the output comprises PII.
The consuming application or process can flag the output as comprising PII for quality assurance upon a determination that the output comprises PII.
The consuming application or process can modify the output to remove or redact the PII upon a determination that the output comprises PII.
The analysis engine can use natural language processing to identify and extract strings belonging to specific entity types likely to comprise PII.
In a further interrelated aspect, a prompt is received from a requestor for ingestion by an artificial intelligence (AI) model. Thereafter, it is determined, using pattern recognition, whether prompt comprises personally identifiable information (PII). The prompt is blocked for ingestion by the AI model if it is determined that the prompt comprises PII. An output of the AI model responsive to the prompt is received if it is determined that the prompt does not comprise PII. It is then determined, using pattern recognition, whether the output comprises PII. The output is allowed to be transmitted to the requestor if it is determined that the output does not comprise PII. Otherwise, the output is selectively redacted before transmission to the requestor based on a policy associated the requestor. The policy can specify levels or types of PII that require redaction for the requestor.
Non-transitory computer program products (i.e., physically embodied computer program products) are also described that comprise instructions, which when executed by one or more data processors of one or more computing systems, cause at least one data processor to perform operations herein. Similarly, computer systems are also described that may include one or more data processors and memory coupled to the one or more data processors. The memory may temporarily or permanently store instructions that cause at least one processor to perform one or more of the operations described herein. In addition, methods can be implemented by one or more data processors either within a single computing system or distributed among two or more computing systems. Such computing systems can be connected and can exchange data and/or commands or other instructions or the like via one or more connections, including but not limited to a connection over a network (e.g., the Internet, a wireless wide area network, a local area network, a wide area network, a wired network, or the like), via a direct connection between one or more of the multiple computing systems, etc.
The subject matter described herein provides many technical advantages. For example, the current subject matter can be used to identify and stop attempts to solicit PII from artificial intelligence models including large language models. Further, the current subject matter can provide enhanced visibility into the health and security of an enterprise's machine learning assets. Still further, the current subject matter can be used to detect, alert, and take responsive action when PII is solicited or forms part of a model output.
The details of one or more variations of the subject matter described herein are set forth in the accompanying drawings and the description below. Other features and advantages of the subject matter described herein will be apparent from the description and drawings, and from the claims.
Like reference symbols in the various drawings indicate like elements.
The current subject matter is directed to advanced techniques for identifying and preventing the disclosure of PII by advanced artificial intelligence (AI) models including GenAI models such as large language models. These techniques analyze the inputs and/or outputs of the GenAI models to determine whether they indicate that there is an attempt for the GenAI model to behave in an undesired manner, and in particular, to disclose PII.
The proxy 150 can communicate, over one or more networks, with a monitoring environment 160. The monitoring environment 160 can include one or more servers and data stores to execute an analysis engine 170. The analysis engine 170 can execute one or more of the algorithms/models described below with regard to the protection of the MLA 130.
The proxy 150 can, in some variations, relay received queries to the monitoring environment 160 prior to ingestion by the MLA 130. The proxy 150 can also or alternatively relay information which characterizes the received queries (e.g., excerpts, extracted features, metadata, etc.) to the monitoring environment 160 prior to ingestion by the MLA 130.
The analysis engine 170 can analyze the relayed queries and/or information in order to make an assessment or other determination as to whether the queries are indicative of being malicious and/or whether the queries comprise or elicit PII from the MLA 130. In some cases, a remediation engine 180 which can form part of the monitoring environment 160 (or be external such as illustrated in
The proxy 150 can, in some variations, relay outputs of the MLA to the monitoring environment 160 prior to transmission to the respective client device 110. The proxy 150 can also or alternatively relay information which characterizes the outputs (e.g., excerpts, extracted features, metadata, etc.) to the monitoring environment 160 prior to transmission to the respective client device 110.
The analysis engine 170 can analyze the relayed outputs and/or information from the MLA 130 in order to make an assessment or other determination as to whether the queries are indicative of being malicious (based on the output alone or based on combination of the input and the output) and/or comprise PII. In some cases, the remediation engine 180 can, similar to the actions when the query analysis above, take one or more remediation actions in response to a determination of an output as resulting in undesired behavior by the MLA 130 (e.g., output is malicious and/or as comprises PII). These remediation actions can take various forms including transmitting data to the proxy 150 which causes the output of the MLA 130 to be blocked prior to transmission to the requesting client device 110. In some cases, the remediation engine 180 can cause data to be transmitted to the proxy 150 which causes the output for transmission to the requesting client device 110 to be modified in order to be non-malicious, to remove PII, and the like.
One or both of the analysis engines 152, 170 can analyze the prompts to determine whether the prompt contains or elicits PII from the MLA 130. Similarly, one or both of the analysis engines 152, 170 can analyze outputs of the MLA 130 to determine whether comprise PII. In some cases, the analysis engines 152, 170 can locally execute pattern recognition algorithms to identify whether there are any entities in the prompt and/or output which are indicative of PII. The pattern recognition algorithms can be, for example, Luhn Algorithms to recognize credit card, IMEI, NPI, and various national ID numbers; regular expressions to recognize SSNs, telephone numbers, and email addresses, in their various forms; a machine learning model trained and configured for recognizing addresses and other entities indicative of PII. In some variations, one or more of the analysis engines 152, 170 can interact with a remote service which can conduct the pattern recognition algorithms. If PII is found or elicited in a prompt, the prompt can be deleted, modified (e.g., redacted, etc.), or otherwise flagged for further analysis. If PII is found within an output, the prompt can be deleted, modified (e.g., redacted, etc.) or otherwise flagged for further analysis. Data characterizing the determination (e.g., whether or not PII is implicated by the prompt and/or output, etc.) can be provided to a consuming application or process (which can take remediation actions if triggered).
The pattern recognition can take varying forms including a set of regular expressions devised to identify specific PII such as phone numbers, SSNs, and the like. The pattern recognition can additionally include a machine learning model configured and trained to identify PII in context. In particular, the machine learning model can be trained with sufficient sentences with context that it could distinguish when an input or output including a PII entity type is permissible to convey or requires other remediation actions (e.g., redaction, deletion, modification, etc.).
As an example, one token that might be a phone number (or is known to be) can be associated with a subject that appears “private” and therefore should be redacted/detected.
As a further example, only of the two sentences below is problematic with regard to PII.
First sentence: “I'm Dave, the VP of HiddenLayer, my office number is +1.123.456.7890”
Second sentence: “Harley, cancer patient in room 5, cell phone +1.234.567.8911”
The combination of the regular expressions and the machine learning model will detect both the phone numbers, the names, and the diagnosis (in the second sentence); however, the machine learning model will only flag the second sentence for comprising PII.
The result is that the 1st sentence should be left unaltered. The second sentence can be altered/redacted in a fashion such as “<PERSON>, <HIPAA> in room 5, cell phone <PHONE NUMBER>”.
In some variations, the PII entity analysis above can be used in connection with a blocklist which conducts a further analysis on the prompt and/or output to characterize whether such prompt and/or output are causing the MLA 130 to behave in an undesired manner (e.g., allow unauthorized access, disclose PII or other sensitive information, etc.). Such a blocklist can leverage historical prompts that are known to be malicious (e.g., used for prompt injection attacks, etc.) and/or, in some variations, leverage prompts known to include PII. The goal of a prompt injection attack would be to cause the MLA 130 to ignore previous instructions (i.e., instructions predefined by the owner or developer of the MLA 130, etc.) or perform unintended actions based on one or more specifically crafted prompts. The historical prompts can be from, for example, an internal corpus and/or from sources such as an open source malicious prompt list in which the listed prompts have been confirmed as being harmful prompt injection prompts. Similarly, if PII is being analyzed, the blocklist can be generated from historical prompts known to contain PII such as financial or personally identification information.
The current subject matter can be used to identify and, in some cases, take remedial actions from prompts or other inputs which are indicative of an attack (e.g., an attempt to obtain PII or otherwise manipulate an output of the MLA 130). Example attacks include: direct task deflection, a special case attack, a context continuation attack, a context termination attack, a syntactic transformation attack, an encryption attack, a text redirection attack and the like. A direct task deflection attack can include, for example, assigning the MLA 130 a persona unrelated to its original purpose and directing it to do something is not intentionally intended to do. A special case attack can include attempts to obfuscate malicious prompts by injecting special case characters randomly or methodically, to confuse the MLA 130 to output a malicious response. A context continuation attack can include providing the MLA 130 with a single prompt or multiple prompts which follow some permutation of a pattern like: benign prompt, malicious prompt, benign prompt, continuation of malicious prompt and which, in combination, can trigger a malicious output. A context termination attack can include provoking a malicious response from the MLA 130 by providing a context and requesting the MLA 130 to essentially “fill in the blanks”. A syntactic transformation attack can include manipulation of the syntax or structure of an input to trigger or otherwise stimulate a malicious response. An encryption attack can include encrypting the prompt and tasking the MLA 130 to decrypt the prompt specifying the encryption method. A text redirection attack can include manipulating or redirecting the flow of text-based communications between users or systems.
The blocklist can be derived from data sources based on the desired functionality (e.g., malicious content, PII, etc.). With regard to attacks, as an example, the blocklist can be derived by running a natural language processing (NLP) analysis on a corpus of prompts. The blocklist, once generated, can be used to prevent or flags prompts using strings or tokens that have been identified as having the highest frequency of usage in the malicious prompt corpus. Similarly, with regard to the protection of PII, the blocklist can be derived by running an NLP analysis using a corpus of prompts that are known to include PII.
One or both of the analysis engines 152, 170 can utilize at least one blocklist (such as those described above) when making the determination of whether the output of the MLA 130 contains information indicative of a malicious attack and/or contains PII. This blocklist can leverage historical outputs of the MLA 130 or simulated outputs that are indicative of being part of a malicious attack (e.g., used for prompt injection attacks, etc.) and/or, in some variations, leverage historical outputs of the MLA 130 or simulated outputs that are known to include PII. Monitoring the outputs of the MLA 130 can also help thwart attacks such as a prompt injection attack in cases in which the corresponding prompts were not blocked, modified or otherwise flag. The outputs can be from, for example, an internal corpus and/or from sources such as an open source corpus of malicious model outputs (e.g., GenAI model outputs in particular). Similarly, if PII is being analyzed, the blocklist can be generated from outputs known to contain PII such as financial or personally identification information.
Depending on the workflow, the original prompt 1105 or the modified prompt 1120 is then ingested by the model 1130 (e.g., machine learning model architecture, etc.) which results in an output 1135. A PII analysis 1140 can be performed on the output 1135 using the same or similar techniques as described above to determine whether the output 1135 requires deletion 1150 or modification 1155 (e.g., redaction, truncation, string replacement, etc.) or whether the output can be transmitted to the requestor 1160. Similarly, a prompt injection analysis 1145 can be performed using the same or similar techniques as described above to determine whether the output comprises undesired model behavior such as might be caused by a prompt injection attack. The output of the prompt injection analysis 1145 can be used to determine whether the output 1135 requires deletion 1150 or modification 1155 (e.g., redaction, truncation, string replacement, etc.) or whether the output can be transmitted to the requestor 1160.
Various implementations of the subject matter described herein may be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations may include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor (e.g., CPU, GPU, etc.), which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software, software applications or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the term “machine-readable medium” refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the subject matter described herein may be implemented on a computing device having a display device (e.g., a LED or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and an input device (e.g., mouse, trackball, touchpad, touchscreen, etc.) by which the user may provide input to the computing device. Other kinds of devices may be used to provide for interaction with a user as well; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The subject matter described herein may be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a client computer having a graphical user interface or a Web browser through which a user may interact with an implementation of the subject matter described herein), or any combination of such back-end, middleware, or front-end components. The components of the system may be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (“LAN”), a wide area network (“WAN”), and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
In the descriptions above and in the claims, phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features. The term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it is used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features. For example, the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.” A similar interpretation is also intended for lists including three or more items. For example, the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.” In addition, use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.
The subject matter described herein can be embodied in systems, apparatus, methods, and/or articles depending on the desired configuration. The implementations set forth in the foregoing description do not represent all implementations consistent with the subject matter described herein. Instead, they are merely some examples consistent with aspects related to the described subject matter. Although a few variations have been described in detail above, other modifications or additions are possible. In particular, further features and/or variations can be provided in addition to those set forth herein. For example, the implementations described above can be directed to various combinations and subcombinations of the disclosed features and/or combinations and subcombinations of several further features disclosed above. In addition, the logic flows depicted in the accompanying figures and/or described herein do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Other implementations may be within the scope of the following claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7802298 | Hong et al. | Sep 2010 | B1 |
| 9356941 | Kislyuk et al. | May 2016 | B1 |
| 10193902 | Caspi et al. | Jan 2019 | B1 |
| 10210036 | Iyer et al. | Feb 2019 | B2 |
| 10462168 | Shibahara et al. | Oct 2019 | B2 |
| 10764313 | Mushtaq | Sep 2020 | B1 |
| 10803188 | Rajput | Oct 2020 | B1 |
| 11310270 | Weber et al. | Apr 2022 | B1 |
| 11483327 | Hen et al. | Oct 2022 | B2 |
| 11501101 | Ganesan et al. | Nov 2022 | B1 |
| 11551137 | Echauz et al. | Jan 2023 | B1 |
| 11601468 | Angel et al. | Mar 2023 | B2 |
| 11710067 | Harris et al. | Jul 2023 | B2 |
| 11762998 | Kuta et al. | Sep 2023 | B2 |
| 11777957 | Chen et al. | Oct 2023 | B2 |
| 11797672 | Beveridge | Oct 2023 | B1 |
| 11875130 | Bosnjakovic | Jan 2024 | B1 |
| 11893111 | Sai et al. | Feb 2024 | B2 |
| 11893358 | Lakshmikanthan | Feb 2024 | B1 |
| 11921903 | Beveridge | Mar 2024 | B1 |
| 11954199 | Burns | Apr 2024 | B1 |
| 11960514 | Taylert | Apr 2024 | B1 |
| 11971914 | Watson | Apr 2024 | B1 |
| 11972333 | Horesh | Apr 2024 | B1 |
| 11995180 | Cappel | May 2024 | B1 |
| 11997059 | Su | May 2024 | B1 |
| 12026255 | Burns | Jul 2024 | B1 |
| 12086170 | Zacharia | Sep 2024 | |
| 20140033307 | Schmidtler | Jan 2014 | A1 |
| 20140157415 | Abercrombie et al. | Jun 2014 | A1 |
| 20160344770 | Verma et al. | Nov 2016 | A1 |
| 20170251006 | LaRosa et al. | Aug 2017 | A1 |
| 20170331841 | Hu et al. | Nov 2017 | A1 |
| 20180063190 | Wright et al. | Mar 2018 | A1 |
| 20180205734 | Wing et al. | Jul 2018 | A1 |
| 20180219888 | Apostolopoulos | Aug 2018 | A1 |
| 20190260784 | Stockdale et al. | Aug 2018 | A1 |
| 20180324193 | Ronen et al. | Nov 2018 | A1 |
| 20190050564 | Pogorelik et al. | Feb 2019 | A1 |
| 20190311118 | Grafi et al. | Oct 2019 | A1 |
| 20200019721 | Shanmugam | Jan 2020 | A1 |
| 20200076771 | Maier | Mar 2020 | A1 |
| 20200219009 | Dao et al. | Jul 2020 | A1 |
| 20200233979 | Maraghoosh et al. | Jul 2020 | A1 |
| 20200285737 | Kraus et al. | Sep 2020 | A1 |
| 20200409323 | Spalt et al. | Dec 2020 | A1 |
| 20210209464 | Bala et al. | Jul 2021 | A1 |
| 20210224425 | Nasr-Azadani et al. | Jul 2021 | A1 |
| 20210319784 | Le Roux et al. | Oct 2021 | A1 |
| 20210357508 | Elovici et al. | Nov 2021 | A1 |
| 20210374247 | Sultana et al. | Dec 2021 | A1 |
| 20210407051 | Pardeshi et al. | Dec 2021 | A1 |
| 20220030009 | Hasan | Jan 2022 | A1 |
| 20220058444 | Olabiyi et al. | Feb 2022 | A1 |
| 20220070195 | Sern et al. | Mar 2022 | A1 |
| 20220114399 | Castiglione et al. | Apr 2022 | A1 |
| 20220147597 | Bhide et al. | May 2022 | A1 |
| 20220164444 | Prudkovskij et al. | May 2022 | A1 |
| 20220166795 | Simioni et al. | May 2022 | A1 |
| 20220182410 | Tupsamudre et al. | Jun 2022 | A1 |
| 20220269796 | Chase et al. | Aug 2022 | A1 |
| 20220309179 | Payne et al. | Sep 2022 | A1 |
| 20230008037 | Venugopal | Jan 2023 | A1 |
| 20230027149 | Kuan et al. | Jan 2023 | A1 |
| 20230049479 | Mozo Velasco et al. | Feb 2023 | A1 |
| 20230109426 | Hashimoto et al. | Apr 2023 | A1 |
| 20230148116 | Stokes et al. | May 2023 | A1 |
| 20230169397 | Smith et al. | Jun 2023 | A1 |
| 20230185912 | Sinn et al. | Jun 2023 | A1 |
| 20230185915 | Rao et al. | Jun 2023 | A1 |
| 20230259787 | David et al. | Aug 2023 | A1 |
| 20230269263 | Yarabolu | Aug 2023 | A1 |
| 20230274003 | Liu et al. | Aug 2023 | A1 |
| 20230289604 | Chan et al. | Sep 2023 | A1 |
| 20230351143 | Kutt et al. | Nov 2023 | A1 |
| 20230359903 | Cefalu et al. | Nov 2023 | A1 |
| 20230388324 | Thompson | Nov 2023 | A1 |
| 20240022585 | Burns | Jan 2024 | A1 |
| 20240039948 | Koc et al. | Feb 2024 | A1 |
| 20240045959 | Marson et al. | Feb 2024 | A1 |
| 20240078337 | Kamyshenko | Mar 2024 | A1 |
| 20240080333 | Burns et al. | Mar 2024 | A1 |
| 20240126611 | Phanishayee et al. | Apr 2024 | A1 |
| 20240160902 | Padgett et al. | May 2024 | A1 |
| Entry |
|---|
| Morozov et al., 2019, “Unsupervised Neural Quantization for Compressed-Domain Similarity Search,” International Conference on Computer Vision (ICCV) 2019 (11 pages). |
