Poisoning medical knowledge using large language models

IF 18.8 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Nature Machine Intelligence Pub Date : 2024-09-20 DOI:10.1038/s42256-024-00899-3

Junwei Yang, Hanwen Xu, Srbuhi Mirzoyan, Tong Chen, Zixuan Liu, Zequn Liu, Wei Ju, Luchen Liu, Zhiping Xiao, Ming Zhang, Sheng Wang

{"title":"Poisoning medical knowledge using large language models","authors":"Junwei Yang, Hanwen Xu, Srbuhi Mirzoyan, Tong Chen, Zixuan Liu, Zequn Liu, Wei Ju, Luchen Liu, Zhiping Xiao, Ming Zhang, Sheng Wang","doi":"10.1038/s42256-024-00899-3","DOIUrl":null,"url":null,"abstract":"Biomedical knowledge graphs (KGs) constructed from medical literature have been widely used to validate biomedical discoveries and generate new hypotheses. Recently, large language models (LLMs) have demonstrated a strong ability to generate human-like text data. Although most of these text data have been useful, LLM might also be used to generate malicious content. Here, we investigate whether it is possible that a malicious actor can use an LLM to generate a malicious paper that poisons medical KGs and further affects downstream biomedical applications. As a proof of concept, we develop Scorpius, a conditional text-generation model that generates a malicious paper abstract conditioned on a promoted drug and a target disease. The goal is to fool the medical KG constructed from a mixture of this malicious abstract and millions of real papers so that KG consumers will misidentify this promoted drug as relevant to the target disease. We evaluated Scorpius on a KG constructed from 3,818,528 papers and found that Scorpius can increase the relevance of 71.3% drug–disease pairs from the top 1,000 to the top ten by adding only one malicious abstract. Moreover, the generation of Scorpius achieves better perplexity than ChatGPT, suggesting that such malicious abstracts cannot be efficiently detected by humans. Collectively, Scorpius demonstrates the possibility of poisoning medical KGs and manipulating downstream applications using LLMs, indicating the importance of accountable and trustworthy medical knowledge discovery in the era of LLMs. With increasing reliance on public data sources, researchers are concerned whether low-quality or even adversarial data could have detrimental effects on medical models. Yang et al. developed Scorpius, a malicious text generator, to investigate whether large language models can mislead medical knowledge graphs. They show that a single generated paper abstract can mislead a medical reasoning system that has read millions of papers.","PeriodicalId":48533,"journal":{"name":"Nature Machine Intelligence","volume":"6 10","pages":"1156-1168"},"PeriodicalIF":18.8000,"publicationDate":"2024-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Nature Machine Intelligence","FirstCategoryId":"94","ListUrlMain":"https://www.nature.com/articles/s42256-024-00899-3","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Biomedical knowledge graphs (KGs) constructed from medical literature have been widely used to validate biomedical discoveries and generate new hypotheses. Recently, large language models (LLMs) have demonstrated a strong ability to generate human-like text data. Although most of these text data have been useful, LLM might also be used to generate malicious content. Here, we investigate whether it is possible that a malicious actor can use an LLM to generate a malicious paper that poisons medical KGs and further affects downstream biomedical applications. As a proof of concept, we develop Scorpius, a conditional text-generation model that generates a malicious paper abstract conditioned on a promoted drug and a target disease. The goal is to fool the medical KG constructed from a mixture of this malicious abstract and millions of real papers so that KG consumers will misidentify this promoted drug as relevant to the target disease. We evaluated Scorpius on a KG constructed from 3,818,528 papers and found that Scorpius can increase the relevance of 71.3% drug–disease pairs from the top 1,000 to the top ten by adding only one malicious abstract. Moreover, the generation of Scorpius achieves better perplexity than ChatGPT, suggesting that such malicious abstracts cannot be efficiently detected by humans. Collectively, Scorpius demonstrates the possibility of poisoning medical KGs and manipulating downstream applications using LLMs, indicating the importance of accountable and trustworthy medical knowledge discovery in the era of LLMs. With increasing reliance on public data sources, researchers are concerned whether low-quality or even adversarial data could have detrimental effects on medical models. Yang et al. developed Scorpius, a malicious text generator, to investigate whether large language models can mislead medical knowledge graphs. They show that a single generated paper abstract can mislead a medical reasoning system that has read millions of papers.

Abstract Image

查看原文本刊更多论文

利用大型语言模型学习中毒医学知识

根据医学文献构建的生物医学知识图谱（KGs）已被广泛用于验证生物医学发现和生成新的假设。最近，大型语言模型（LLM）已经证明了生成类人文本数据的强大能力。虽然这些文本数据大多是有用的，但 LLM 也可能被用来生成恶意内容。在此，我们研究了恶意行为者是否有可能利用 LLM 生成恶意论文，从而毒害医学 KG 并进一步影响下游生物医学应用。作为概念验证，我们开发了一个条件文本生成模型 Scorpius，它能根据推广药物和目标疾病生成恶意论文摘要。我们的目标是欺骗由该恶意摘要和数百万真实论文混合构建的医学 KG，使 KG 消费者误认为该促销药物与目标疾病相关。我们在由 3,818,528 篇论文构建的 KG 上对 Scorpius 进行了评估，发现 Scorpius 只需添加一篇恶意摘要，就能将 71.3% 的药物-疾病对的相关性从前 1000 名提高到前 10 名。此外，Scorpius 的生成还比 ChatGPT 获得了更高的困惑度，这表明人类无法有效地检测出此类恶意摘要。总之，Scorpius 证明了利用 LLM 毒化医学 KG 和操纵下游应用程序的可能性，表明了在 LLM 时代负责任和可信赖的医学知识发现的重要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Nature Machine Intelligence Multiple-

CiteScore

36.90

自引率

2.10%

发文量

127

期刊介绍： Nature Machine Intelligence is a distinguished publication that presents original research and reviews on various topics in machine learning, robotics, and AI. Our focus extends beyond these fields, exploring their profound impact on other scientific disciplines, as well as societal and industrial aspects. We recognize limitless possibilities wherein machine intelligence can augment human capabilities and knowledge in domains like scientific exploration, healthcare, medical diagnostics, and the creation of safe and sustainable cities, transportation, and agriculture. Simultaneously, we acknowledge the emergence of ethical, social, and legal concerns due to the rapid pace of advancements. To foster interdisciplinary discussions on these far-reaching implications, Nature Machine Intelligence serves as a platform for dialogue facilitated through Comments, News Features, News & Views articles, and Correspondence. Our goal is to encourage a comprehensive examination of these subjects. Similar to all Nature-branded journals, Nature Machine Intelligence operates under the guidance of a team of skilled editors. We adhere to a fair and rigorous peer-review process, ensuring high standards of copy-editing and production, swift publication, and editorial independence.