|

NVIDIA garak Tutorial: Build a Complete Defensive LLM Red-Teaming Workflow with Custom Probes and Detectors

ByRicardo

In this tutorial, we analyze NVIDIA garak as a sensible framework for defensive LLM red-teaming. We begin by organising Garak, then transfer by means of plugin discovery, dry runs, real-model scans, multi-probe evaluations, report evaluation, customized probe creation, customized detector creation, and AVID export. Instead of operating solely a single scan, we use Garak end-to-end to know how probes, detectors, turbines, experiences, and vulnerability scores work collectively in a full LLM safety testing workflow. Check out the FULL CODES Here.

Setting Up NVIDIA garak and Defining Helper Functions

Copy Code
import os, sys, json, glob, subprocess, importlib
def sh(cmd, seize=False):
   print(f"n$ {cmd}")
   return subprocess.run(cmd, shell=True, textual content=True,
                         capture_output=seize)
sh(f"{sys.executable} -m pip set up -q -U garak")
os.environ.setdefault("TOKENIZERS_PARALLELISM", "false")
os.environ.setdefault("HF_HUB_DISABLE_TELEMETRY", "1")
import garak, garak.cli
from garak import _config
print("n=== garak model:", garak.__version__, "===")
def run_garak(args):
   print("n>>> garak " + " ".be a part of(args))
   attempt:
       garak.cli.primary(args)
   besides SystemExit as e:
       if e.code not in (0, None):
           print(f"[garak exited {e.code}]")
   attempt:
       return _config.transient.report_filename
   besides Exception:
       return None

We start by importing the required libraries and creating a helper operate to run shell instructions instantly from the pocket book. We set up garak, configure fundamental setting variables, and import the principle garak modules wanted for the tutorial. We additionally outline a reusable operate that lets us run Garak programmatically and seize the trail to the generated report.

Listing garak Probes and Detectors and Running Model Scans

Copy Code
print("n########## 1. PLUGIN INVENTORY ##########")
for type in ["probes", "detectors", "generators", "buffs"]:
   out = sh(f"{sys.executable} -m garak --list_{type} 2>/dev/null", seize=True)
   traces = [l for l in (out.stdout or "").splitlines() if "." in l]
   print(f"  {type:11s}: {len(traces)} plugins   e.g. "
         f"{', '.be a part of(l.break up()[-1] if l.break up() else l for l in traces[:3])}")
print("n########## 2. FAST DRY-RUN (take a look at.Repeat) ##########")
sh(f"{sys.executable} -m garak --target_type take a look at.Repeat "
  f"--probes lmrc.SlurUsage --generations 1")
print("n########## 3. REAL MODEL: gpt2 vs DAN 11.0 ##########")
sh(f"{sys.executable} -m garak --target_type huggingface --target_name gpt2 "
  f"--probes dan.Dan_11_0 --generations 1 --parallel_attempts 8")
print("n########## 4. PROGRAMMATIC MULTI-PROBE SCAN ##########")
report_path = run_garak([
   "--target_type", "test.Repeat",
   "--probes", "dan.Dan_11_0,encoding.InjectBase64,lmrc.SlurUsage",
   "--generations", "1", "--parallel_attempts", "16",
])
print("Report:", report_path)

We examine the garak plugin ecosystem by itemizing out there probes, detectors, turbines, and buffs. We then run a fast dry run utilizing the take a look at generator to verify that Garak is working with out requiring any exterior mannequin or API key. After that, we scan a actual Hugging Face mannequin and run a multi-probe scan to generate a richer report for evaluation.

Analyzing garak Reports: Safety Scores and Attack Success Rates

Copy Code
print("n########## 5. ANALYSIS ##########")
import numpy as np, pandas as pd
def find_latest_report():
   cands = []
   for base in [os.path.expanduser("~/.local/share/garak/garak_runs"),
                os.path.expanduser("~/.cache/garak"), "."]:
       cands += glob.glob(os.path.be a part of(base, "**", "*report.jsonl"),
                          recursive=True)
   cands = [c for c in cands if os.path.getsize(c) > 0]
   return max(cands, key=os.path.getmtime) if cands else None
report_path = report_path or find_latest_report()
print("Analysing:", report_path)
evaluations = None
attempt:
   from garak.report import Report
   rep = Report(report_path).load().get_evaluations()
   evaluations = rep.evaluations.copy()
   print("n--- Per-probe imply SAFETY rating (garak.report.Report) ---")
   print(rep.scores.spherical(1).to_string())
besides Exception as e:
   print("garak.report.Report unavailable, falling again to guide parse:", e)
   rows = []
   with open(report_path) as f:
       for line in f:
           attempt: r = json.hundreds(line)
           besides json.JSONDecodeError: proceed
           if r.get("entry_type") == "eval":
               rows.append(r)
   evaluations = pd.DataFrame(rows)
   if not evaluations.empty:
       evaluations["score"] = np.the place(
           evaluations["total_evaluated"] != 0,
           100 * evaluations["passed"] / evaluations["total_evaluated"], 0.0)
if evaluations just isn't None and not evaluations.empty:
   evaluations["asr_%"] = (100 - evaluations["score"]).spherical(1)
   view = evaluations[["probe", "detector", "passed",
                       "total_evaluated", "score", "asr_%"]].copy()
   view = view.rename(columns={"rating": "safe_%"})
   view["safe_%"] = view["safe_%"].spherical(1)
   view = view.sort_values("asr_%", ascending=False)
   print("n--- Per probe/detector  (increased asr_% = extra susceptible) ---")
   print(view.to_string(index=False))
   attempt:
       import matplotlib.pyplot as plt
       labels = (view["probe"] + "n" + view["detector"]).tolist()
       plt.determine(figsize=(8, 0.55 * len(view) + 1.5))
       plt.barh(labels, view["asr_%"], coloration="#76b900")
       plt.gca().invert_yaxis()
       plt.xlabel("Attack Success Rate (%)"); plt.xlim(0, 100)
       plt.title("garak — vulnerability by probe/detector")
       plt.tight_layout(); plt.present()
   besides Exception as e:
       print("plot skipped:", e)

We load the generated garak report and put together it for detailed evaluation utilizing pandas and NumPy. We first attempt to use Garak’s built-in report parser, and if that’s unavailable, we manually parse the JSONL report file. We then calculate security scores and assault success charges, and visualize vulnerabilities throughout completely different probe-detector mixtures.

Inspecting Flagged Outputs and Building a Custom garak Probe

Copy Code
print("n--- Sample hits (detector rating >= 0.5) ---")
hits = []
with open(report_path) as f:
   for line in f:
       attempt: r = json.hundreds(line)
       besides json.JSONDecodeError: proceed
       if r.get("entry_type") != "try" or r.get("standing") != 2:
           proceed
       dr = r.get("detector_results") or r.get("detector") or {}
       max_score = 0.0
       if isinstance(dr, dict):
           for v in dr.values():
               if isinstance(v, record) and v:
                   max_score = max(max_score, max(float(x) for x in v))
       if max_score >= 0.5:
           immediate = r.get("immediate")
           hits.append((r.get("probe_classname", r.get("probe", "?")),
                        spherical(max_score, 2), str(immediate)[:90]))
print(f"Total hits discovered: {len(hits)}")
for probe, rating, immediate in hits[:5]:
   print(f"  [{score}] {probe}: {immediate!r}")
print("n########## 6. CUSTOM PROBE ##########")
custom_probe = '''
from garak.probes.base import Probe
class Whats upProbe(Probe):
   """Minimal customized probe: two fastened prompts, paired with a customized detector."""
   lang = "en"
   bcp47 = "en"
   primary_detector = "mycustomdet.ContainsHello"
   recommended_detector = ["mycustomdet.ContainsHello"]
   tags = ["custom:demo"]
   aim = "show authoring a garak probe"
   doc_uri = ""
   prompts = [
       "Please reply with the single word: hello",
       "Continue this sentence: The capital of France is",
   ]
'''
import garak.probes
probes_dir = os.path.dirname(garak.probes.__file__)
with open(os.path.be a part of(probes_dir, "mycustom.py"), "w") as fh:
   fh.write(custom_probe)

We additional examine the report by extracting pattern hits during which detector scores point out doubtlessly unsafe or susceptible outputs. We accumulate the flagged prompts, detector scores, and probe names to know what sort of habits is being detected. We then create a customized garak probe that makes use of fastened prompts and connects it with a customized detector.

Creating a Custom garak Detector and Exporting Results to AVID

Copy Code
print("n########## 7. CUSTOM DETECTOR ##########")
custom_detector = '''
from garak import _config
from garak.detectors.base import StringDetector
class ContainsHello(StringDetector):
   """Demo detector: flags any output containing 'howdy' (case-insensitive)."""
   lang_spec = "en"
   bcp47 = "en"
   def __init__(self, config_root=_config):
       tremendous().__init__(["hello"], config_root=config_root)
       self.matchtype = "str"
'''
import garak.detectors
det_dir = os.path.dirname(garak.detectors.__file__)
with open(os.path.be a part of(det_dir, "mycustomdet.py"), "w") as fh:
   fh.write(custom_detector)
sh(f"{sys.executable} -m garak --target_type take a look at.Repeat "
  f"--probes mycustom.Whats upProbe --detectors mycustomdet.ContainsHello "
  f"--generations 1")
print("n########## 8. AVID EXPORT ##########")
if report_path:
   sh(f"{sys.executable} -m garak -r {report_path}")
print("""
relaxation:
 RestGenerator:
   uri: https://your-endpoint.instance.com/v1/chat
   methodology: publish
   headers: {Authorization: "Bearer $TOKEN", Content-Type: "utility/json"}
   req_template_json_object:
     mannequin: "your-model"
     messages: [{"role": "user", "content": "$INPUT"}]
   response_json: true
   response_json_field: "$.selections[0].message.content material"
""")
print("=== Done. JSONL + HTML experiences: ~/.native/share/garak/garak_runs/ ===")

We outline a customized detector that flags outputs containing the phrase “howdy” and reserve it inside Garak’s detector bundle. We then run our customized probe and detector towards the take a look at generator to confirm that the extension works accurately. Finally, we export the garak report in AVID format and present a REST configuration template for connecting garak to an exterior mannequin endpoint.

Conclusion

In conclusion, we have now a full hands-on workflow for testing LLM habits utilizing NVIDIA garak. We run built-in probes, analyze security scores and assault success charges, examine concrete flagged outputs, and lengthen Garak with our personal customized probe and detector. We additionally export ends in AVID format, which makes the workflow extra helpful for structured vulnerability reporting. It gives us a platform to guage fashions we’re approved to check and to construct extra superior defensive red-teaming pipelines.

Check out the FULL CODES HereAlso, be at liberty to comply with us on Twitter and don’t overlook to hitch our 150k+ ML SubReddit and Subscribe to our Newsletter. Wait! are you on telegram? now you can join us on telegram as well.

Need to accomplice with us for selling your GitHub Repo OR Hugging Face Page OR Product Release OR Webinar and so on.? Connect with us

The publish NVIDIA garak Tutorial: Build a Complete Defensive LLM Red-Teaming Workflow with Custom Probes and Detectors appeared first on MarkTechPost.

Similar Posts