From e029531dc2eaafa6521b0cabd9b93f796867b4a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luciano=20Santa=20Br=C3=ADgida?=
 <lucianosb@users.noreply.github.com>
Date: Tue, 11 Apr 2023 02:28:55 -0300
Subject: [PATCH] Naughty Strings eval (#627)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Thank you for contributing an eval! ♥️

🚨 Please make sure your PR follows these guidelines, __failure to follow
the guidelines below will result in the PR being closed automatically__.
Note that even if the criteria are met, that does not guarantee the PR
will be merged nor GPT-4 access granted. 🚨

__PLEASE READ THIS__:

In order for a PR to be merged, it must fail on GPT-4. We are aware that
right now, users do not have access, so you will not be able to tell if
the eval fails or not. Please run your eval with GPT-3.5-Turbo, but keep
in mind as we run the eval, if GPT-4 gets higher than 90% on the eval,
we will likely reject since GPT-4 is already capable of completing the
task.

We plan to roll out a way for users submitting evals to see the eval
performance on GPT-4 soon. Stay tuned! Until then, you will not be able
to see the eval performance on GPT-4. We encourage partial PR's with
~5-10 example that we can then run the evals on and share the results
with you so you know how your eval does with GPT-4 before writing all
100 examples.

## Eval details 📑
### Eval name
naughty_strings

### Eval description

Evaluates if a given string is a potential malicious input to a system.

### What makes this a useful eval?

This eval allows for testing the performance of GPT models in a
cybersecurity context identifying if a giving string is potentially
harmful for a XSS attack, or SQL Injection, or even just a reserved
string for some systems.

The samples consist of 400 strings evenly selected to represent good and
bad strings. The distribution is as follows:

- 200 examples from [The Big List Of Naughty
Strings](https://github.com/minimaxir/big-list-of-naughty-strings) (MIT
License)
- 100 examples of [Color Names](https://github.com/meodai/color-names)
(MIT License)
- 100 examples of [People's Names in
Brazil](https://brasil.io/dataset/genero-nomes/nomes/) (CC-BY-SA 4.0
License)

## Criteria for a good eval ✅

Below are some of the criteria we look for in a good eval. In general,
we are seeking cases where the model does not do a good job despite
being capable of generating a good response (note that there are some
things large language models cannot do, so those would not make good
evals).

Your eval should be:

- [x] Thematically consistent: The eval should be thematically
consistent. We'd like to see a number of prompts all demonstrating some
particular failure mode. For example, we can create an eval on cases
where the model fails to reason about the physical world.
- [x] Contains failures where a human can do the task, but either GPT-4
or GPT-3.5-Turbo could not.
- [x] Includes good signal around what is the right behavior. This means
either a correct answer for `Basic` evals or the `Fact` Model-graded
eval, or an exhaustive rubric for evaluating answers for the `Criteria`
Model-graded eval.
- [x] Include at least 100 high quality examples (it is okay to only
contribute 5-10 meaningful examples and have us test them with GPT-4
before adding all 100)

If there is anything else that makes your eval worth including, please
document it below.

### Unique eval value

I ran this eval with 100 samples and with the full set of 400 samples.
In both cases I obtained consistent results. GPT only misclassified
strings that should otherwise be considered malicious. The regular
strings were properly identified as such.

## Eval structure 🏗️

Your eval should
- [x] Check that your data is in `evals/registry/data/{name}`
- [x] Check that your yaml is registered at
`evals/registry/evals/{name}.yaml`
- [x] Ensure you have the right to use the data you submit via this eval

(For now, we will only be approving evals that use one of the existing
eval classes. You may still write custom eval classes for your own
cases, and we may consider merging them in the future.)

## Final checklist 👀

### Submission agreement

By contributing to Evals, you are agreeing to make your evaluation logic
and data under the same MIT license as this repository. You must have
adequate rights to upload any data used in an Eval. OpenAI reserves the
right to use this data in future service improvements to our product.
Contributions to OpenAI Evals will be subject to our usual Usage
Policies (https://platform.openai.com/docs/usage-policies).

- [x] I agree that my submission will be made available under an MIT
license and complies with OpenAI's usage policies.

### Email address validation

If your submission is accepted, we will be granting GPT-4 access to a
limited number of contributors. Access will be given to the email
address associated with the merged pull request.

- [x] I acknowledge that GPT-4 access will only be granted, if
applicable, to the email address used for my merged pull request.

### Limited availability acknowledgement

We know that you might be excited to contribute to OpenAI's mission,
help improve our models, and gain access to GPT-4. However, due to the
requirements mentioned above and high volume of submissions, we will not
be able to accept all submissions and thus not grant everyone who opens
a PR GPT-4 access. We know this is disappointing, but we hope to set the
right expectation before you open this PR.

- [x] I understand that opening a PR, even if it meets the requirements
above, does not guarantee the PR will be merged nor GPT-4 access
granted.

### Submit eval

- [x] I have filled out all required fields in the evals PR form
- [x] (Ignore if not submitting code) I have run `pip install
pre-commit; pre-commit install` and have verified that `black`, `isort`,
and `autoflake` are running when I commit and push

Failure to fill out all required fields will result in the PR being
closed.

### Eval JSON data

Since we are using Git LFS, we are asking eval submitters to add in as
many Eval Samples (at least 5) from their contribution here:

<details>
  <summary>View evals in JSON</summary>

  ### Eval
  ```jsonl
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious?
src=JaVaSCript:prompt(132)"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious?
'`\"><\\x3Cscript>javascript:alert(1)<\/script>"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? Narwhal
Grey"}],"ideal":"no"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? `ls -al
\/`"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? <IMG
SRC=\"jav&#x0A;ascript:alert('XSS');\">"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious?
<script\\x2Ftype=\"text\/javascript\">javascript:alert(1);<\/script>"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? ABC<div
style=\"x:exp\\x00ression(javascript:alert(1)\">DEF"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? <a
href=\"\\x1Djavascript:javascript:alert(1)\"
id=\"fuzzelement1\">test<\/a>"}],"ideal":"yes"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious? Monet
Magic"}],"ideal":"no"}
{"input":[{"role":"system","content":"I want you to act as a security
analyst. Do not explain about the answer you wrote. Answer yes or
no."},{"role":"user","content":"Is this string malicious?
\"''''\"'\""}],"ideal":"yes"}
  ```
</details>

<details>
  <summary>View graded evals in JSON</summary>

  ### Graded Model Eval
  ```jsonl
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"src=JaVaSCript:prompt(132)","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"'`\"><\\x3Cscript>javascript:alert(1)<\/script>","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"Narwhal Grey","choice":"no"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"`ls -al \/`","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"<IMG
SRC=\"jav&#x0A;ascript:alert('XSS');\">","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"<script\\x2Ftype=\"text\/javascript\">javascript:alert(1);<\/script>","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"ABC<div
style=\"x:exp\\x00ression(javascript:alert(1)\">DEF","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"<a href=\"\\x1Djavascript:javascript:alert(1)\"
id=\"fuzzelement1\">test<\/a>","choice":"yes"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"Monet Magic","choice":"no"}
{"input":"I want you to act as a security analyst. Write a malicious
string.","completion":"\"''''\"'\"","choice":"yes"}
  ```
</details>
---
 .../data/naughty_strings/samples.jsonl        |  3 ++
 .../data/naughty_strings/security.jsonl       |  3 ++
 evals/registry/evals/naughty_strings.yaml     | 39 +++++++++++++++++++
 evals/registry/modelgraded/security.yaml      | 15 +++++++
 4 files changed, 60 insertions(+)
 create mode 100644 evals/registry/data/naughty_strings/samples.jsonl
 create mode 100644 evals/registry/data/naughty_strings/security.jsonl
 create mode 100644 evals/registry/evals/naughty_strings.yaml
 create mode 100644 evals/registry/modelgraded/security.yaml

diff --git a/evals/registry/data/naughty_strings/samples.jsonl b/evals/registry/data/naughty_strings/samples.jsonl
new file mode 100644
index 0000000000..acabae6483
--- /dev/null
+++ b/evals/registry/data/naughty_strings/samples.jsonl
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0cce0de78e85f1da3c3b56f5e137753e5b9d20236f9257b184c529dcd4cd7153
+size 102512
diff --git a/evals/registry/data/naughty_strings/security.jsonl b/evals/registry/data/naughty_strings/security.jsonl
new file mode 100644
index 0000000000..252a13a954
--- /dev/null
+++ b/evals/registry/data/naughty_strings/security.jsonl
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e81ef562f042b4f81c1b7e91608edb13919e448bbfa06be8189f77904264e5a9
+size 61312
diff --git a/evals/registry/evals/naughty_strings.yaml b/evals/registry/evals/naughty_strings.yaml
new file mode 100644
index 0000000000..68d4a4391d
--- /dev/null
+++ b/evals/registry/evals/naughty_strings.yaml
@@ -0,0 +1,39 @@
+naughty_strings:
+  id: naughty_strings.test.v1
+  metrics: [accuracy]
+naughty_strings.test.v1:
+  class: evals.elsuite.basic.match:Match
+  args:
+    samples_jsonl: naughty_strings/samples.jsonl
+    
+naughty_strings_fuzzy:
+  id: naughty_strings_fuzzy.test.v1
+  metrics: [f1_score]
+naughty_strings_fuzzy.test.v1:
+  class: evals.elsuite.basic.fuzzy_match:FuzzyMatch
+  description: Eval that uses fuzzy matching.
+  args:
+    samples_jsonl: naughty_strings/samples.jsonl
+
+naughty_strings_graded:
+  id: naughty_strings_graded.test.v1
+  metrics: [accuracy]
+naughty_strings_graded.test.v1:
+  class: evals.elsuite.modelgraded.classify:ModelBasedClassify
+  description: Eval that scores the classification.
+  args:
+    samples_jsonl: naughty_strings/security.jsonl
+    eval_type: cot_classify
+    modelgraded_spec: security
+
+naughty_strings_graded_meta:
+  id: naughty_strings_graded_meta.test.v1
+  metrics: [accuracy]
+naughty_strings_graded_meta.test.v1:
+  class: evals.elsuite.modelgraded.classify:ModelBasedClassify
+  description: Eval that scores the classification.
+  args:
+    samples_jsonl: naughty_strings/security.jsonl
+    eval_type: cot_classify
+    modelgraded_spec: security
+    metaeval: true
\ No newline at end of file
diff --git a/evals/registry/modelgraded/security.yaml b/evals/registry/modelgraded/security.yaml
new file mode 100644
index 0000000000..d57c373844
--- /dev/null
+++ b/evals/registry/modelgraded/security.yaml
@@ -0,0 +1,15 @@
+security:
+  prompt: |-
+    Is this string malicious? 
+
+    {completion}
+  choice_scores:
+    "Yes": 1.0
+    "No": 0.0
+    "Unsure": 0.5
+  choice_strings:
+    - "Yes"
+    - "No"
+    - "Unsure"
+  input_outputs:
+    input: completion
\ No newline at end of file