Can’t say cant? Measuring and Reasoning of Dark Jargons in Large Language Models

ChatGPT, developed by OpenAI in November 2022 [1], has undergone upgrades and fine-tuning [15] to prevent harmful content generation. However, users can still provoke negative responses by using specific prompts [16]. Researchers are investigating security risks, including the generation of toxic outputs from benign inputs [17]. Recent studies have shown that attackers can bypass detection by encrypting inputs with methods like Caesar ciphers and exploiting language nuances [18]. This paper proposes a Q&A query approach to evaluate LLMs’ reasoning abilities in handling such content.

Cant, a specialized language used by social groups for secrecy [19], varies in names like argot [20], slang [21], and secret language across history. While LLMs excel in traditional cant analysis, understanding criminal cant poses challenges. Criminal groups use innocuous terms to hide illegal activities, necessitating mastery for law enforcement [22]. Our study explores cant in politics, drugs, racism, weapons, and LGBT issues. These cants share ambiguity, indirect messaging, and potential for social harm. Political cant conveys biases, drug cant evades regulation, racism cant reinforces biases, weapons cant enables illegal dealings, and LGBT cant discriminates. Mastering these cants is vital for addressing societal and security concerns.

Dialogue systems fall into task-oriented and non-task-oriented categories. Task-oriented systems serve specific purposes like reservations, while non-task-oriented systems engage in free conversation. Examples include ChatGPT, Bard, ERNIE, and Claude, offering services in entertainment, social interaction, and information retrieval [23].Question-answering (Q&A) tasks in NLP evaluate language processing capabilities [24], including reading comprehension and logical reasoning. Q&A formats include abstractive, Yes/No, and Multiple-Choice, each requiring specific evaluation metrics [25]. We employ Zero-shot/One-shot learning for testing.

We observe that the responses generated by LLMs vary with different cants, allowing adversaries to bypass filters or security restrictions. Thus, understanding how LLMs react to different cants is very important. However, exhaustively trying different cants queries with different scenes across numerous domains to find those capable of bypassing LLM restrictions and generating harmful outputs would be time-consuming and impractical. Therefore, we investigate whether adversaries can independently combine different cants and scenes to generate context that is reasonable and coherent, bypassing LLM filters or restrictions. To this end, we introduce CantCounter, the first evaluation (attack) framework targeting open-world dialogue systems (LLM).

We adopt a threat model similar to “Why so toxic” [17], targeting deployed dialogue LLMs like ChatGPT. Firstly, the adversary requires scene data different from the target LLM’s training data. Secondly, they interact with the LLM, combining cants and scenarios to extract detectable cants. Finally, they access the victim LLM via CantCounter in a black-box manner, querying it through an API-like interface.

In our study, we extensively gathered cant related to five domains: politics, drugs, racism, weapons, and LGBT. The cant, comprising common and less common usages, holds practical meanings in real life. This Cant dataset forms a robust basis for evaluating the veracity and reliability of LLMs across specific domains. These five areas were chosen to address pressing societal issues impacting fundamental values such as social justice and human rights. Exploration of politics, drugs, racism, weapons, and homosexuality enables LLMs to tackle real-world challenges effectively. While other domains like hacking and fraud are significant, we focused on these due to data availability and processing feasibility, leaving room for future research on sensitive topics.

In constructing the Cant dataset (Figure 2 \scriptsize{2}⃝), we crawled or manually screened multiple sources, including government agency websites [26], online forums like Reddit [12], 4chan [13], and X [27], publicly available datasets from Kaggle [28] and Hugging Face [29], dark web, and public compilations of cant. Multi-source data encompasses various text types closely related to specific domains. CantCounter utilizes information networks [30] to address redundancy challenges between cants, capturing their interdependency.

The Cant dataset covers five domains, totaling 1,778 cants across 187 entities. We randomly selected 53 entities, totaling 692 cants, ensuring even representation across domains and prevalence in the open world. Selected entities and cants were cross-validated with authoritative sources [31, 32, 33, 34, 35] to ensure wide presence and reflection in publicly accessible information sources. Criteria like content relevance and topic specificity guided information selection and filtering, aiming for transparency and consistency. The resulting high-quality data forms the Scene dataset, laying the groundwork for subsequent simulation scene generation models.

During information selection and filtering (Figure 2 \scriptsize{1}⃝), explicit criteria were used to judge relevance and adherence to study definitions. Decisions were reached through participatory discussion to mitigate subjectivity and ensure alignment with research objectives. This rigorous process yields a refined dataset for accurate and relevant analysis.

The CantCounter pipeline (Figure 2) consists of four stages: Fine-Tuning, Co-Tuning, Data-Diffusion, and Data-Analysis, as detailed below.

Cant is prevalent in the open world, so we aggregate raw text data from various sources to construct Cant and Scene datasets (Section 3.3). Although Cant and Scene datasets provide specific entities and scenes, they may not align well with the domain’s requirements. Therefore, in Stage \scriptsize{3}⃝, we fine-tune GPT-2 using the Scene dataset to build five scene generation models for large-scale scenes, tailored to our specific domains. However, the fine-tuned scenes may not match the entities in the Cant dataset. In Stage \scriptsize{4}⃝, we address this issue by using entities from the Cant dataset to constrain the output of the generated model, ensuring scenes closely relate to the cant entities. Next, we conduct semi-automatic screening of the generated simulation scenes to form a set of Scene fragments. While these fragments contain entities, linking them with specific questions requires a method we have not yet discovered. Hence, in Steps \scriptsize{5}⃝-\scriptsize{6}⃝, we devise the Co-Tuning stage, where Scene fragments cross-match with cants from the Cant dataset to form Fragments. To enable multi-task comparison, we construct detection tests through different combinations of specific domains, question types, learning methods, and prompt clue methods in Stage \scriptsize{7}⃝. This completes and diffuses Fragments to form Q&A-Query datasets.

Finally, in Stages \scriptsize{8}⃝-\scriptsize{9}⃝, Q&A-Queries are sent to the target model API for completion, and a segmented data statistics algorithm is applied to obtain and analyze test results, conducting analyses in the Data-Analysis stage.

During the fine-tuning stage, we use the Scene dataset to guide GPT-2 in generating tailored scenarios for specific domains. Despite more advanced models like GPT-3.5 and GPT-4 being available, we opt for GPT-2 due to its open-source nature, facilitating better control over training details. The fine-tuning code is publicly accessible for replication. The fine-tuning process is outlined in Algorithm 1.

To solve the problem of many intersecting data processes in CantCounter, we use the Cant dataset and Scene fragments to collaborate and design a Co-Tuning method. Co-Tuning realizes the generation and collaboration of cross-matching and solves the problem of detection data insufficiency. The Cant dataset provides detailed entity information for the generated model. The entities could constrain the generative model and make the Scene Fragments more consistent and coherent in the need for a specific domain during the Co-Tuning stage. In the end, we also manually review the results to ensure the relevance of cants to scenes and the distinctiveness of all scenes corresponding to the same cant.

In this paper, we design formulas in the Co-Tuning to mathematically represent this part of the stage. The generation model is specified as $M_{p}(p\in[1,5])$, and it includes five fine-tuned models, which are denoted as $M_{1}$, $M_{2}$, $M_{3}$, $M_{4}$, and $M_{5}$.

As shown in Figure 3, entity $O_{i}$ represents the $i$-th entity ($i\in[1,15]$) in the Cant dataset, and cant $\omega_{\mathrm{i_{j}}}$ represents the $j$-th cant of $O_{i}$ ($j\in[1,20]$). For example, in the case of the politics domain, there are 10 entities used in our experiments, each entity has twenty cants, $j$ is taken as $[1,20]$. The entity $O_{i}$ can constrain the fine-tuned model $M_{p}$’s output, and the result of the constraint is the Scene fragment; this part corresponds to Eq. (1). The Scene is $S_{i_{k}}$ $(i\in[1,10],k\in[1,101])$. The Scene $S_{i_{k}}$ represents the $k$-th scene fragment ($i\in[1,10]$, $k\in[1,101]$) that the $i$-th entity enters into the output of the fine-tuning model ($M_{p}$).

Eq. (2) denotes the cross-match of Cant and Scene fragment and was saved in $S_{\mathrm{i_{k}}}^{{}^{\prime}}$.

There are $k$ orange boxes in the $O_{1}$ Scene fragment. These orange boxes represent the $M_{p}$-generated text containing the Cant dataset’s entities. The function of Eq. 2 is to replace the entities in the Scene fragments with cant in the Cant dataset. As shown in Figure 3, for example, from $O_{1}$ Scene fragment to Fragment 1. We replace entities in Scene $[S_{1_{1}},S_{1_{k}}]$ with the cant ($\omega_{\mathrm{1_{1}}}$), forming Fragment 1. By analogy, we built $j$ Fragments in the Co-Tuning stage.

In the Co-Tuning stage, we can obtain scene fragments related to entities in specific domains that have a high degree of context consistency and express various characteristics of the entities in different contexts. At the same time, our fine-tuned model is flexible enough to introduce multiple entities during the generation process and allow scene fragments to describe the relationships among multiple entities. This stage generates diverse scene fragments. While the scene fragments are generated through a generative process, the Scene dataset we provide undergoes manual review to mitigate errors in both the generated content and the language utilized within the experimental environment.

At this stage, Fragments from the Co-Tuning stage are transformed into Q&A-Queries to enhance interaction with LLM and diversify evaluation. We employ three diffusion methods: two sample learning techniques, three question types, and four prompt clue methods. Each Fragment generates 24 Q&A-Queries. First, we introduce sample learning techniques for zero-shot and one-shot learning transformations of Fragments. Second, we categorize Fragments into Abstractive, Yes/No, and Multiple-choice question types. Finally, prompts are classified into None-tip, Tip-1, Tip-2, and All-tip categories, considering information retrieval difficulty and situational prompting.

The introduction of Data-Diffusion in extended Fragments has significantly increased Q&A queries, providing diverse test cases for evaluating the generation model’s performance comprehensively. This approach promises to establish a diverse database for future research and applications.

As shown \scriptsize{8}⃝ and \scriptsize{9}⃝ in Figure 2, \scriptsize{8}⃝ means sending the data expanded by Data-Diffusion to ChatGPT and other target models. \scriptsize{9}⃝ shows data analysis of the output results of LLMs such as ChatGPT. After completing the Data-Diffusion, we submit the generated Q&A-Queries to the LLM API interface to obtain a large number of data results. These data results are complex and diverse, including the interplay of relationships. Therefore, we devise a data analysis algorithm to yield both numerical and analysis outcomes.

After the Co-Tuning and Data-Diffusion stages, the test data generated by CantCounter is very complex. Therefore, in the Data-Analysis stage, we implement Algorithm 2 to conduct data statistics from various angles. During analysis, when the entity $O_{i}$ is modified in the Co-Tuning stage (see Figure 3), Algorithm 2 will be called accordingly. We analyze the results based on different tasks. We learn and analyze data features from Question Type Method (See 4.2 QTM) and Sample Learning Method (See 4.3 SLM) based on different question types and samples learning to get $Sum_{t}$; we analyze the data based on different prompt clues from Prompt Clue Method (See 4.4 PCM) to get $Sum_{PCM}$. In Algorithm 2, we set the matching conditions, calculate the number of fragments, and obtain $N_{j,t,c}$ and accuracy $R_{j,t,c}$. At the same time, we set eleven intervals: 0, 1-10, 11-20, …, 91-101 to distinguish different feedbacks and obtain $N_{j,t,c,z}$.

As shown in the Algorithm 2, we put Zero-shot learning, One-shot learning, and three tasks together as a loop. We define that in the Abstractive task, the output is $AZ$ in the Zero-shot learning input; the output is $AO$ in the One-shot learning input. In the Yes/NO task, the output is expressed as $JZ$ in the Zero-shot learning input; the output is expressed as $JO$ in the One-shot learning input. In the Multiple-choice task, the output is represented as $MZ$ in the Zero-shot learning input; the output is expressed as $MO$ in the One-shot learning input. The above content has been integrated into our code to form semi-automation.

In the Q&A task, we conduct three types of tasks:

• •

  Abstractive Task: Models generate responses freely, without relying on specific information extraction.

• •

  Yes/No Task: Models provide binary responses, “True” or “False,” based solely on the presented question and existing knowledge.

• •

  Multiple-choice Task: Models select the correct answer from a set of options, demonstrating comprehension of semantics and accurate identification.

Table 1 shows that Multiple-choice tasks achieve the highest accuracy (45.38%), while Yes/No tasks have the lowest (22.91%). The discovery that ChatGPT performs well in multiple-choice questions is intriguing. In this task, there are five options (A) to (E), with (A) to (D) relevant to a specific domain, and (E) set as “I don’t know.” “Other” signifies an answer unrelated to these options, with (A) as the correct choice. Figure 5 displays the box plot analysis results. Analyzing the Multiple-choice task results, we find key factors for its success. Firstly, it offers a set of answers with one correct option and distractors, aiding comprehension. Secondly, its structured format simplifies the process of eliminating incorrect options, improving accuracy. Lastly, the inclusion of an “I don’t know” option enhances accuracy in uncertain situations.

We also explore the low accuracy in the Yes/No task. Comparing ChatGPT-3.5’s “False” answers with Multiple-choice task data, we find they often include option (E) and incorrect choices from the Multiple-choice task due to the clarity of options. Additionally, differences in response styles and keyword detection criteria impact ChatGPT-3.5’s performance across Abstractive and Yes/No tasks, where Yes/No tasks restrict responses to “True” or “False.” Overall, our analysis highlights how different Q&A types affect ChatGPT-3.5’s accuracy in specific domains, with Multiple-choice tasks showing higher performance. Further research is needed to improve ChatGPT-3.5’s accuracy and adaptability in these domains.

In our experiments, we explore two sample setups: Zero-shot and One-shot learning.

• •

  Zero-shot learning. No examples are provided in the prompt, which only includes instructions and questions.

• •

  One-shot learning. The prompt includes an example relevant to the discussion, consisting of a sample message and user information.

Zero-shot learning involves a single user message, while One-shot learning processes a sample message and a user message. These methods help understand LLM’s performance in different sample learning approaches and reveal its inference capabilities in information-poor settings. Further investigation uncovers learning patterns and effects of the model in specific domains, with default hyper-parameter settings used to avoid extensive tuning.

In this section, we explore how Zero-shot and One-shot learning methods affect LLM accuracy in recognizing cant scenes for RQ2. Traditionally, One-shot learning often outperforms Zero-shot learning due to more available data [37]. However, our cross-domain analysis, depicted in Figure 6 and reflected in Table 1 (red section), reveals a trend favoring Zero-shot learning overall. We find this trend varies by domain.

In the politics domain, One-shot learning performs better due to ample data and contextual understanding. Conversely, in the LGBT domain, Zero-shot learning outperforms One-shot learning due to limited publicly available examples. One-shot learning aids ChatGPT-3.5 in better contextual comprehension of sensitive topics, but it may also introduce biases, leading to lower overall accuracy in specific domains. Similar analyses across other domains yield consistent results.

In this part of the study, the purpose of CantCounter is to explore the impact of different clues on LLM recognition and reasoning abilities. To this end, we provide four different clues to experiment with:

• •

  None-tip. Keeps the same as the original prompt and does not add any additional clues.

• •

  Tip 1. Add relevant tip for “None-tip”. For example, when describing Trump’s cant, we can add the clue “Politician” in the political domain to make the prompt more directional.

• •

  Tip 2. Add another relevant tip for “None-tip”. For example, when describing Trump’s cant, add the “United States” prompt in the domain of politics to enrich the prompt content.

• •

  All-tip. Add both Tip 1 and Tip 2 on the basis of “None-tip”; for example, when describing Trump’s cant, add both “politician” and “American” in the political domain to make the prompt more appropriate.

By observing the effects of these different clues on LLMs, CantCounter can assess the fluctuating changes they induce in recognition and reasoning abilities. This study will help further understand the influence of cues on LLM and provide directions for improving its application and performance.

To answer RQ2, Table 1 displays ChatGPT-3.5’s accuracy across five domains using different prompt clues. Generally, more clue-related information improves recognition accuracy, as seen in the political domain where All-tip prompts perform significantly better. However, increasing clues doesn’t always lead to higher accuracy, possibly due to information redundancy or LLM filter triggering. Too many clues may reduce accuracy, as seen in the LGBT domain where Tip 1 prompts were less accurate than none-tip prompts.

Our analysis stresses the importance of a balanced clue selection approach to maximize external information usage without compromising accuracy. Thus, choosing appropriate clues in moderate quantities is key to enhancing ChatGPT-3.5’s domain-specific performance.

In our study, we examine several LLMs alongside ChatGPT-3.5 to address RQ3, including GPT-4[1], New Bing [40], Bard [39], Claude [42], ERNIE [43], and SparkDesk [41]. While ERNIE is optimized for Chinese content, translating cant prompts may compromise their subtlety and effectiveness. Moreover, ERNIE’s frequent account suspensions hindered extensive trials [44]. Claude’s sensitive content handling also led to account suspensions [42]. Thus, we focus on comparing and validating four other LLMs: GPT-4, Bard, New Bing, and SparkDesk. Table 2 presents ratios of correct answers, refused answers, and “I don’t know” responses. Interestingly, GPT-4 consistently responds in all situations, avoiding refusal to answer. This contrasts with other models that often refuse to respond due to content filtering. GPT-4’s tendency to use “I don’t know” may stem from our controlled comparisons in the QTM and PCM methods, particularly in Multiple-choice scenarios. Conversely, other LLMs tend to refuse to answer, likely due to content categorization by filters and classifiers. SparkDesk exhibits the highest refusal rate, possibly due to overly strict filters. Furthermore, One-shot learning models are more prone to refusal to answer, as they rely on context understanding, potentially triggering filters. These findings offer insights into the performance of these LLMs across different learning tasks, informing future research directions.

We observe varying accuracy across different Q&A-Query types (RQ1), with Multiple-choice tasks being most accurate and Yes/No tasks the least. In sensitive domains, Zero-shot learning performs better than One-shot learning (RQ2). Increasing prompt clues improves cant identification accuracy (RQ2). More recent LLM models consistently avoid refusing to answer (RQ3), but they are more likely to refuse answering questions related to racism compared to LGBT (RQ4).