cispa_all_3795.pdf (801.96 kB)

Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots

Download (801.96 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Wai Man SiWai Man Si, Michael BackesMichael Backes, Jeremy Blackburn, Emiliano De Cristofaro, Gianluca Stringhini, Savvas Zannettou, Yang ZhangYang Zhang
Chatbots are used in many applications, e.g., automated agents, smart home assistants, interactive characters in online games, etc. Therefore, it is crucial to ensure they do not behave in undesired manners, providing offensive or toxic responses to users. This is not a trivial task as state-of-the-art chatbot models are trained on large, public datasets openly collected from the Internet. This paper presents a first-of-its-kind, large-scale measurement of toxicity in chatbots. We show that publicly available chatbots are prone to providing toxic responses when fed toxic queries. Even more worryingly, some non-toxic queries can trigger toxic responses too. We then set out to design and experiment with an attack, ToxicBuddy, which relies on fine-tuning GPT-2 to generate non-toxic queries that make chatbots respond in a toxic manner. Our extensive experimental evaluation demonstrates that our attack is effective against public chatbot models and outperforms manually-crafted malicious queries proposed by previous work. We also evaluate three defense mechanisms against ToxicBuddy, showing that they either reduce the attack performance at the cost of affecting the chatbot’s utility or are only effective at mitigating a portion of the attack. This highlights the need for more research from the computer security and online safety communities to ensure that chatbot models do not hurt their users. Overall, we are confident that ToxicBuddy can be used as an auditing tool and that our work will pave the way toward designing more effective defenses for chatbot safety.


Preferred Citation

Wai Si, Michael Backes, Jeremy Blackburn, Emiliano Cristofaro, Gianluca Stringhini, Savvas Zannettou and Yang Zhang. Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots. In: ACM Conference on Computer and Communications Security (CCS). 2022.

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3795, title = "Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots", author = "Si, Wai Man and Backes, Michael and Blackburn, Jeremy and Cristofaro, Emiliano De and Stringhini, Gianluca and Zannettou, Savvas and Zhang, Yang", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager