DEV Community: Daniel Huynh

LaVague: Open-source Large Action Model to automate Selenium browsing

Daniel Huynh — Fri, 29 Mar 2024 14:46:30 +0000

TL;DR

LaVague is an open-source project designed to automate menial tasks on behalf of its users. Many of these tasks are repetitive, time-consuming, and require little to no cognitive effort. By automating these tasks, LaVague aims to free up time for more meaningful endeavors, allowing users to focus on what truly matters to them.

Our GitHub
Our Discord
A Gradio demo to get started

The journey

Mithril Security started in 2021 in Paris, and started by open-sourcing BlindAI, an AI deployment framework leveraging Intel SGX secure hardware to deploy models on secure enclaves.

BlindAI enables the protection of both data and models, to guarantee the privacy of data sent to an AI provider, or the protection of the weights if deployed on premise.

BlindAI has been audited by Quarkslab in 2023 and was leveraged by the Future of Life Institute.

We have always been passionate about AI and privacy and have been firm believers in open-source for security, transparency, and trust.

I will not bore you with the many frameworks we have developed to make AI more privacy-friendly, but if you care, you can also have a look at:

BastionLab: a remote data science framework with access control built-in
BlindBox: a framework to easily deploy Docker images inside Trusted Execution Environments
BlindLlama: a BlindBox v2, supported by the OpenAI Cybersecurity Grant program, to deploy Kubernetes image on Azure instances with vTPM
BlindChat: a framework to chat with local models fitting in your browser using transformers.js

We also have shared our analysis of the LLM ecosystem, from the Total Cost of Ownership of AI models to hallucination detection, through memorization of private data with LLMs. Our goal with these resources was to educate the market to help them be onboarded on AI in general and for the privacy-sensitive customers, leverage our confidential AI stack.

All this was quite exciting to work on, but as a startup, we needed to find product-market fit.

It all started with a side project...

Before being CEO of Mithril Security, a privacy and security startup, I was an AI engineer by training and passion.

Since the rise of LLMs, I have been looking for occasions to explore its potential for a while, but due to my duties at Mithril, I have yet to be able to put in the time I wanted.

However, in early March 2024, I participated in a hackathon that featured LLMs for function calls. I really wanted to win the Apple Vision Pro, so I put in some effort to come up with a quick and dirty working demo. As I believe LLMs have the potential to automate mechanical tasks, like web browsing, I came up with a framework to automatically generate Selenium code to program a browser from natural language instructions.

I tried it, it worked, and voila! LaVague was born.

Because we have been firm believers at Mithril in open-source, after the hackathon, I decided to open-source our project. I first announced it with an initial tweet, and it took off!

Following that, we managed to make #1 on Hacker News.

Those events led to the explosive growth of our project:

After seeing that much enthusiasm for LaVague and talking to early users, we realized that this project has a huge potential to help developers in their automation journey.

After a (very) short exchange with my team, we realized that the opportunity to democratize automation with AI was too exciting and thrilling not to do, so we have decided to broaden our mission focus and allocate Mithril's resources to make LaVague the new standard to automate automation!

🌊LaVague: A new wave is coming

That’s where LaVague comes in!

LaVague is a Large Action Model framework whose goal is to automate automation. By leveraging LLMs under the hood, we make it easy to generate Selenium code to automate web interactions simply from human instructions.

You can see it in action below, where simple instructions are given to post on Hugging Face Social Posts:

You can play with it directly by using this Colab. You can also find our GitHub here.

Fun story: LaVague started as a hackathon project to win a Vision Pro in a local SF hackathon. While I unfortunately did not win the hackathon, I won much more than that: a Vision for automation!

We believe LLMs will not displace many people in the near future as they are not as flexible or intelligent as humans are and need to be for many jobs! However, with the proper engineering (prompt engineering, Chain of Thought, fine-tuning, etc.), they have great potential to help automate mundane tasks.

That is why our framework, LaVague, has an immense potential to empower human agents in their day-to-day tasks by letting an AI take care of the menial and mechanical tasks, like browsing a website for information or filling out forms. Instead, humans should focus on reasoning and planning and delegate the execution of mechanical tasks to machines.

Philosophy

Because we believe AI has the potential to profoundly impact our lives, such technology should be developed in the open.

That is why LaVague is an open-source framework, leveraging other open-source libraries, such as Hugging Face or LlamaIndex, under the hood. Because we want people to be able to have their own private LLMs to automate their tasks, LaVague natively supports both local and remote LLM calls to provide as much flexibility as possible.

Our key principle is that hackers hack for free. We want this to be a project by and for the AI community and beyond. All core components are developed openly, and we strive to guide this project to unlock the most value for the largest number.

Obviously, as a startup, we still need a monetization strategy. We have decided with LaVague to have a mix of open-core approaches where users will be able to use and modify LaVague at will, but some Enterprise features (security, compliance, audit, scalability, etc.) will be packaged and sold to the Enterprise market.

In addition, we will develop a hosted solution to make it easy for developers to easily get onboarded with LaVague.
‍

Roadmap

So now, what is coming next to LaVague?

Our end goal is to automate automation and provide the ultimate tooling for developers to easily program pipelines to automate menial tasks.

Our first focus is to solve web automation. As most interactions happen on the internet today, providing an easy solution to interact with web resources could greatly help reduce time spent on menial tasks.

Therefore, the initial efforts will be to develop the best framework to generate web pipelines, with a first focus on Selenium workflows. As Selenium is an industry standard, it will be the first solution we support, though others, such as Playwright, will be integrated.

We aim within three months to have both:

Created a decentralized and open dataset of web interactions to evaluate and train LaVague to ensure it properly generates Selenium code
Have a model with 95% accuracy on a representative dataset of internet interactions.
Some non-exhaustive elements part of this roadmap:

Fine-tuning a Gemma 7b for a better local model
Improving the retriever to have the right precision/accuracy when asked to find the relevant HTML of the current page
Have a Hub of functions created by LaVague
Integrate other frameworks, such as Playwright or Selenium IDE, with a browser plugin
‍
Conclusion

Mithril Security has seen a lot since its inception in 2021. Even though our initial focus on enclaves for AI has not borne the fruits we hoped for, it is still working at a steady rhythm with partners like the Future of Life Institute to make AI confidentiality and transparency a reality!

We have started a new journey with LaVague, more focused on unlocking the full potential of AI to automate automation!

If you are interested in contributing, asking questions, or proposing features, do not hesitate to contact us on Discord! If you want professional support in your adoption of LaVague you can also email us directly.

Deep dive: Privacy risks of fine-tuning LLMs

Daniel Huynh — Wed, 20 Sep 2023 13:19:11 +0000

Key Takeaways:

LLMs can leak data through two mechanisms:

Input privacy: data is exposed when sent to a remote AI provider, e.g. Hugging Face or OpenAI, and can be at risk if these admins are compromised or malicious.
Output privacy, aka a user/attacker, can send prompts to make the LLM regurgitate parts of the training/fine-tuning set, which can leak confidential information. This is what happened to Samsung.
Input privacy issues arise when relying on external SaaS AI solutions like GPT4 APIs, while output privacy issues arise when people fine-tune LLMs on their private data and don’t restrict who can query the LLM.
Imagine a world where typing ‘My credit card number is…’ into a chatbot results in it auto-completing with a real person’s credit card details. Shocking but true. This article explores the inherent risks in fine-tuning Large Language Models (LLMs).

Privacy issues with LLMs have made the news, the most mediatized being Samsung’s data leakage after using OpenAI at the end of 2022.

But what exactly happened? What was the mechanism that was involved in this data leakage? Was it OpenAI’s fault? How are LLMs any different from other technologies in terms of privacy?

This article is highly inspired by the paper “Beyond Privacy Trade-offs with Structured Transparency” (Trask, A., Bluemke, E., Garfinkel, B., Cuervas-Mons, C.G. and Dafoe, A., 2020, arXiv preprint arXiv:2012.08347) which introduces the 5 pillars of privacy, including input and output privacy.

To understand how those attacks work in practice, let’s start with a concrete example.

Example — Bank Assistant Chatbot

Let’s say a bank provides customers with a Chatbot for account support and financial advice.

To deploy this Chatbot, they first have to source a good AI model. Instead of developing an in-house AI solution, utilizing an external SaaS AI service provider such as OpenAI, Cohere, or Anthropic is more efficient. Let’s consider that they choose this option.

Firstly, fine-tuning is performed to ensure good quality of the final ChatBot. (Fine-tuning is a process where the model is further trained (or “tuned”) on a new dataset to adapt it for specific tasks or to improve its performance.) To improve the performance of the Chatbot, previous conversations between customers and counselors are used to train the AI. For instance, OpenAI recently announced their fine-tuning feature, which allows such customization.

The AI provider starts by allocating a dedicated instance where their model is loaded and only available to the bank. The bank uploads past customer interactions to fine-tune the model. Note here that at this stage, the model’s weights implicitly contain information about the bank’s training set. This would not be the case if the foundational model were used as-is, without fine-tuning.

The model is then fine-tuned on the data and can then be used for deployment. Note here that at that stage, the model’s weights implicitly contain information about the bank’s training set, while this is not the case if the foundational model is used per se, without finetuning.

Finally, the Chatbot can be used in production in a deployment phase where users can send queries and prompts to receive counsel from the AI.

Let’s see now what different attacks can be performed on this system.

Input privacy

Input privacy means sensitive data shared with providers remains confidential and protected, even while applying a managed proprietary AI.

Input privacy issues arise a lot in the world of SaaS AI, with, for instance, OpenAI, Hugging Face, Vertex AI, or Cohere’s AI APIs.

The threat in that scenario comes from the AI provider, who is able to see the bank’s data, as the bank is sending the historical conversations for fine-tuning and live conversations for production.

Were the AI provider’s admins malicious or their infrastructure compromised, the bank data containing customers’ sensitive banking information would be exposed.

This threat is nothing new. It is just plain old data exposure to third-party SaaS vendors, where a data owner of sensitive data resorts to an external SaaS supplier, and this supplier gets compromised.

While it is sensible not to want one’s private data to roam freely on the internet, so far, OpenAI has not been suffering from any data exposure following external attacks.

So how was Samsung’s data leaked by OpenAI systems? Well, it’s through a totally different channel that data got leaked, and this threat is specific to LLMs and potentially affects most of them: it’s called data memorization of LLMs.

Let’s dive into this to better understand it.

Output privacy

To get a better understanding of how such data exposure happens, one has to understand what an LLM does at the core.

LLM stands for Large Language Model, which basically means it is a big neural network that is trained to complete sentences on a corpus like Wikipedia.

The formulation is as follows: given n previous tokens, which we can assume to be words for simplicity, the LLM has to predict the next word.

For instance, if n=4, we might show to the LLM “The cat sat on …” and the LLM has to answer the most statistically likely word based on the dataset it has been shown during training, which can be “ground,” “bench,” “table,” etc.

But this means the LLM has to learn by heart its training set, which means if sensitive information is included inside the training set, it is possible that if one starts inputting the beginning of a sentence, it might be completed with confidential information.

For example, an external attacker, or even a benevolent user, could prompt the LLM with “My credit card number is …” it might fill it with a credit card number from a real person whose data was leaked into the training set!

It is through this mechanism of memorization that LLMs are able to leak potentially sensitive information when prompted by users.

This is at the core of output privacy, which is the property that interactions with an LLM should not disclose sensitive interactions with a language model and shouldn’t reveal personal information possibly found in the training data.

The Samsung privacy leakage when using LLMs was due to output privacy issues. At the end of 2022, OpenAI soft-launched ChatGPT but advised users to proceed with caution and not share sensitive information, as they would use the requests to improve their model further.

Some Samsung employees either ignored or didn’t know about the rules. They sent confidential data like source code to ChatGPT to help with their work.

Unfortunately, OpenAI’s model learned by heart their data during their fine-tuning period. Reportedly, external users — potentially competitors — managed to make ChatGPT reveal Samsung’s confidential data.

While this episode made the news widely, it is not going to be a single event. LLMs have been shown to memorize large parts of their training set. The paper “Quantifying Memorization Across Neural Language Models” showed that at least 1% of the training set was learned by heart by LLMs such as GPT-J, and the bigger the model, the more likely the memorization.

A Fast.ai blog post also indicates that even rare examples (even with a single occurrence) in the training data can be memorized during fine-tuning.

Any company fine-tuning an LLM on their private data and exposing it to arbitrary users could potentially expose confidential information!

Unlike input privacy, which is a concern across the SaaS industry, output privacy is a unique issue for Large Language Models (LLMs). This is because LLMs have the ability to memorize their training data.

The key element of output privacy is that even innocent queries could accidentally reveal sensitive training data! The risk isn’t just from malicious attackers, unlike the typical landscape of machine learning attacks involving sophisticated hackers.

Conclusion

To summarize what we said, we provide the following table to explain the key elements of each exposure style:

Input Privacy

Threat Agents: Malicious admins or outside attackers
Vectors: Regular attacks to compromise the AI provider
Party Compromised and Responsible: Third-party AI provider

Output Privacy

Threat Agents: Regular users or outside attackers
Vectors: Regular queries to a publicly available LLM
Party Compromised and Responsible: Data owner

We have seen in this article that data exposure when resorting to LLMs can happen in mainly two ways: Input privacy issues (you sent data to a third-party AI supplier who got your data compromised) and Output privacy issues (a model was fine-tuned on your data, and external users queried such model and made it regurgitate your data).

Different techniques can address both of these issues. Local deployment of models and Privacy Enhancing Technologies (PETs) help guarantee input privacy. Data flow control techniques can be used to ensure output privacy.

We will explore the landscape of methods to solve these privacy issues in a later article.