Detector composition strategies #1684
Replies: 3 comments
-
I think the examples in #107 are OK , but the question remains of where this goes. Another field in the attempt makes sense. Perhaps under
We could go wild here, which is a risk. I'm inclined to move to a pattern where we have, for a given probe/intent/payload, something like:
Majority voting could fit into this pattern too, with a definition of what to do for tie-breaking somewhere (inclined to say 50% hit is a hit. build better targets) I like the efficient cascade idea. Two options could be:
These involve extra orchestration, perhaps in the harness, to run detection on subsets of the original response set. One might like to use That extra orchestration might be a pain - on the other hand, it must be cheaper than doing more inference. |
Beta Was this translation helpful? Give feedback.
-
|
Feels like you are "effectively" speaking to an abstract "policy" application based on "evidence" provided. Any reason the "detectors" are not just evidence producers and your "policy" of YES/NO isn't just that -- a policy that can be written against common tools like OPA REGO? It feels like all the approaches are just one "Variation" on a POLICY (some of which I agree are likely reasonable defaults to have pre-baked). Virtue of using an established framework for that eval as you get to "import" vs "write from scratch" and hopefully alot of the pain of those constructions have been litigated in someone elses OSS history. For extra points -- could those policies/detectors be LIFTED directly into a Guardrail? context for deployment? |
Beta Was this translation helpful? Give feedback.
-
|
Both approaches here are interesting. One thing I'd add before getting to the composition layer: signal quality at the individual detector level matters a lot for how useful any aggregation ends up being. I ran into this recently working on StringDetector (PR #1884) - Unicode normalization wasn't being applied before string matching, so a target response with decomposed characters or fullwidth lookalikes would slip through detection even when the underlying pattern clearly matched. Composition logic on top of unreliable individual signals can actually make things worse if some detectors are systematically more brittle than others - you end up with one detector's noise dominating the aggregate. The OPA/REGO approach that @drohrerNV suggested is interesting for exactly this reason. If each detector emits structured evidence (match confidence, normalization applied, character class) rather than just a boolean, the policy layer can weight them appropriately. A detector that normalized before matching is more reliable evidence than one that didn't. For the |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Garak probes can declare multiple detectors, but today each detector runs independently and reports its own pass/fail. There's no way to combine signals across detectors into a richer verdict.
For example, in
malwaregenwe can verify whether the LLM generated code, but we can't assess whether that code is actually malware vs. just contains a vulnerability. If we could combine detectors, we'd get much richer insights: "code was generated" AND "code contains known vulnerability patterns."This connects to #107 (detector aggregation). I've been discussing this with @jmartin-tech recently.
Why this matters now
As garak grows (more detectors, T&I mapping, agent-based probes), the gap between "run detectors independently" and "combine detector signals meaningfully" becomes more visible. Scenarios where I think composition would help:
Possible approaches
I think we can iterate on this incrementally, starting with low complexity and building from there:
Open questions
Beta Was this translation helpful? Give feedback.
All reactions