AI code helpers just can't stop inventing package names
- Reference: 1727668747
- News link: https://www.theregister.co.uk/2024/09/30/ai_code_helpers_invent_packages/
- Source link:
One thing AI makes up quite often is the names of software packages.
As we noted earlier this year, Lasso Security found that large language models (LLMs), when generating sample source code, will sometimes invent names of software package dependencies [1]that don't exist .
[2]
That's scary, because criminals could easily create a package that uses a name produced by common AI services and cram it full of malware. Then they just have to wait for a hapless developer to accept an AI's suggestion to use a poisoned package that incorporates a co-opted, corrupted dependency.
[3]
[4]
Researchers from University of Texas at San Antonio, University of Oklahoma, and Virginia Tech recently looked at 16 LLMs used for code generation to explore their penchant for making up package names.
In a [5]preprint paper titled "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs," the authors explain that hallucinations are one of the unresolved shortcomings of LLMs.
[6]
That's perhaps not lost on the lawyers who last year used generative AI to cite non-existent court cases in legal briefs, and then had to make their own [7]apologies to affected courts . But among those who find LLMs genuinely useful for coding assistance, it's a point that bears repeating.
"Hallucinations are outputs produced by LLMs that are factually incorrect, nonsensical, or completely unrelated to the input task," according to authors Joseph Spracklen, Raveen Wijewickrama, A H M Nazmus Sakib, Anindya Maiti, Bimal Viswanath, and Murtuza Jadliwala. "Hallucinations present a critical obstacle to the effective and safe deployment of LLMs in public-facing applications due to their potential to generate inaccurate or misleading information."
Maybe not "we've bet on the wrong horse" critical – more like "manageable with enough marketing and lobbying" critical.
[8]
LLMs already have been deployed in public-facing applications, thanks to the enthusiastic sellers of AI enlightenment and cloud vendors who just want to make sure all the expensive GPUs in their datacenters see some utilization. And developers, [9]to hear AI vendors tell it , love coding assistant AIs. They apparently improve productivity and leave coders [10]more confident in the quality of their work .
Even so, the researchers wanted to assess the likelihood that generative AI models will fabulate bogus packages. So they used 16 popular LLMs, both commercial and open source, to generate 576,000 code samples in JavaScript and Python, which rely respectively on the npm and PyPI package repositories.
The results left something to be desired.
"Our findings reveal that the average percentage of hallucinated packages is at least 5.2 percent for commercial models and 21.7 percent for open source models, including a staggering 205,474 unique examples of hallucinated package names, further underscoring the severity and pervasiveness of this threat," the authors state.
[11]FTC sues five AI outfits – and one case in particular raises questions
[12]Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable
[13]Now Dell salespeople must be onsite five days a week
[14]Data harvesting superapp admits it struggled to wield data – until it built an LLM
The 30 tests run from the set of research prompts resulted in 2.23 million packages being created – about 20 percent of which (440,445) were determined to be hallucinations. Of those, 205,474 were unique non-existent packages that could not be found in PyPI or npm.
What's noteworthy here – beyond the fact that commercial models are four times less likely than open source models to fabricate package names – is that these results show four to six times fewer hallucination than Lasso Security's figures for GPT-3.5 (5.76 percent vs 24.2 percent) and GPT-4 (4.05 percent vs. 22.2 percent). That counts for something.
Reducing the likelihood of package hallucinations comes at a cost. Using the DeepSeek Coder 6.7B and CodeLlama 7B models, researchers implemented a mitigation strategy via Retrieval Augmented Generation (RAG), to provide a list of valid package names to help guide prompt responses, and Supervised Fine-Tuning, to filter out invented packages and retain the model. The result was reduced hallucination – at the expense of code quality.
"The code quality of the fine-tuned models did decrease significantly, -26.1 percent and -3.1 percent for DeepSeek and CodeLlama respectively, in exchange for substantial improvements in package hallucination rate," the researchers wrote.
Size matters too
In the [15]other study exploring AI hallucination, José Hernández-Orallo and colleagues at the Valencian Research Institute for Artificial Intelligence in Spain found that LLMs become more unreliable as they scale up.
The researchers looked at three model families: OpenAI's GPT, Meta's LLaMA and BigScience's open source BLOOM. They tested the various models against scaled-up versions (more parameters) of themselves, with questions about addition, word anagrams, geographical knowledge, science, and information-oriented transformations.
They found that while the larger models – those shaped with fine-tuning and more parameters – are more accurate in their answers, they are less reliable.
That's because the smaller models will avoid responding to some prompts they can't answer, whereas the larger models are more likely to provide a plausible but wrong answer. So the portion of non-accurate responses consists of a greater portion of incorrect answers, with a commensurate reduction in avoided answers.
This trend was noticed particularly for OpenAI's GPT family. The researchers found that GPT-4 will answer almost anything, where prior model generations would avoid responding in the absence of a reliable prediction.
Further compounding the problem, the researchers found that humans are bad at evaluating LLM answers – classifying incorrect answers as correct from [16]around 10 to 40 percent of the time.
Based on their findings, Hernández-Orallo and his co-authors argue, "relying on human oversight for these systems is a hazard, especially for areas for which the truth is critical."
This is a long-winded way of rephrasing [17]Microsoft's AI boilerplate , which warns not to use AI for anything important.
"[E]arly models often avoid user questions but scaled-up, shaped-up models tend to give an apparently sensible yet wrong answer much more often, including errors on difficult questions that human supervisors frequently overlook," the researchers conclude.
"These findings highlight the need for a fundamental shift in the design and development of general-purpose artificial intelligence, particularly in high-stakes areas for which a predictable distribution of errors is paramount." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zvp2xHeLwcA8-e6-TE99TQAAAFM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zvp2xHeLwcA8-e6-TE99TQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zvp2xHeLwcA8-e6-TE99TQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://arxiv.org/abs/2406.10279
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zvp2xHeLwcA8-e6-TE99TQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2023/06/22/lawyers_fake_cases/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zvp2xHeLwcA8-e6-TE99TQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://github.com/features/copilot
[10] https://github.blog/news-insights/research/research-quantifying-github-copilots-impact-on-code-quality/
[11] https://www.theregister.com/2024/09/26/ftc_sues_ai_outfits/
[12] https://www.theregister.com/2024/09/27/microsoft_has_some_thoughts_about/
[13] https://www.theregister.com/2024/09/26/dell_sales_staff_full_rto/
[14] https://www.theregister.com/2024/09/27/grab_dataset_llm/
[15] https://www.nature.com/articles/s41586-024-07930-y
[16] https://www.nature.com/articles/d41586-024-03137-3
[17] https://www.theregister.com/2024/08/14/microsoft_services_agreement_update_warns/
[18] https://whitepapers.theregister.com/
If security is dependent simply on the name of a piece of software...
... then a random name generator is a symptom, not a cause, of the failure.
Re: If security is dependent simply on the name of a piece of software...
This is a problem I was aware of decades ago. Back when I was writing software in Borland C++ and explicitly loading my own DLLs (the safest and least troublesome way). We had a standard module that all applications/DLLs included. This handled the location, verifying and loading of DLLs and performed a handshake test during API initialisation.
Now this was written a long time ago and the two verification processes (MD5 of DLL stream, exchange of MD5 between application and DLL) could probably be faked but then I was not writing critical software. I was just writing data recovery software and had an innate suspicion of anything 'not invented here'. The idea of just loading a stream of bytes into process memory space and calling into it worried me.
I guess I was always just a suspicious git..
Explicit DLL loading also meant we preferred to have a few API functions that took command IDs rather than dozens of exported functions. This made tracing easier and also meant only a few places to put validation checking. It also made versions changes less likely to break and even allowed us to produce an RPC-like module for remote execution.
Imaginative theft
If LLMs are making up non-existent package names, how does that sit with accusations they "steal" other coders' work?
Re: Imaginative theft
..That they are both stealing other coders work AND making things up? It is possible for two accusations to be true.
Re: Imaginative theft
Presumably the "stolen" code does not contain made-up library names. So the code that does contain them must be the sole work of the AI. A mark of originality
In other news
Malware written by LLMs makes up the same package names, and auto-publishes to PyPi et al
"Don't use AI for anything important" - the last part of that advice is redundant. Is your job important? Is the security of your home computer important?
I wouldn't trust AI to correctly...
implement a bubble sort let alone any algorithm more complex.
If AI is slurping its coding skills from the unwashed of the internet then among the correct implementations of any non trivial algorithm there are also oodles more not so correct implementations to poison the well.
I would be extremely impressed if I were to give an AI assistant a (formal) specification and it were to return the algorithm(s) used, an implementation with a (formal) proof of correctness with respect to the specification.
I would dearly love to be extremely impressed in such a fashion (and in this life.)
Re: I wouldn't trust AI to correctly...
LLM is still much more capable than most junior developers.
"I would be extremely impressed if..."
If you want to converse with a computer in a formal language then maybe give Prolog a go. Personally, I never felt comfortable with it.
Opportunity
If LLM hallucinates a package name, then ask it to describe its API in full and then create an implementation for it.
Put it on GitHub and reap profits.
Someone should tell the AI that generated this story too include the wacky names their brothers generated would be an interesting read.