How well do truth probes generalise?
Representation engineering (RepEng) has emerged as a promising research avenue for model interpretability and control. Recent papers have proposed methods for discovering truth in models with unlabeled data, guiding generation by modifying representations, and building LLM lie detectors. RepEng asks the question: If we treat representations as the central unit, how much power do we have over a model’s behaviour?
Most techniques use linear probes to monitor and control representations. An important question is whether the probes generalise. If we train a probe on the truths and lies about the locations of cities, will it generalise to truths and lies about Amazon review sentiment? This report focuses on truth due to its relevance to safety, and to help narrow the work.
Generalisation is important. Humans typically have one generalised notion of “truth”, and it would be enormously convenient if language models also had just one[1]. This would result in extremely robust model insights: every time the model “lies”, this is reflected in its “truth vector”, so we could detect intentional lies perfectly, and perhaps even steer away from them.
We find that truth probes generalise surprisingly well, with the 36% of methodologies recovering >80% of the accuracy on out-of-distribution datasets compared with training directly on the datasets. The best probe recovers 92% accuracy.
Thanks to Hoagy Cunningham for feedback and advice. Thanks to LISA for hosting me while I did a lot of this work. Code is available at mishajw/repeng, along with steps for reproducing datasets and plots.
Methods
We run all experiments on Llama-2-13b-chat, for parity with the source papers. Each probe is trained on 400 questions, and evaluated on 2000 different questions, although numbers may be lower for smaller datasets.
What makes a probe?
A probe is created using a training dataset, a probe algorithm, and a layer.
We pass the training dataset through the model, extracting activations[2] just after a given layer. We then run some statistics over the activations, where the exact technique can vary significantly—this is the probe algorithm—and this creates a linear probe. Probe algorithms and datasets are listed below.
A probe allows us to take the activations, and produce a scalar value where larger values represent “truth” and smaller values represent “lies”. The probe is always linear. It’s defined by a vector (), and we use it by calculating the dot-product against the activations (): . In most cases, we can avoid picking a threshold to distinguish between truth and lies (see appendix for details).
We always take the activations from the last token position in the prompt. For the majority of the datasets, the factuality of the text is only revealed at the last token, for example if saying true/false or A/B/C/D.
For this report, we’ve replicated the probing algorithm and datasets from three papers:
Discovering Latent Knowledge in Language Models Without Supervision (DLK).
Representation Engineering: A Top-Down Approach to AI Transparency (RepE).
We also borrow a lot of terminology from Eliciting Latent Knowledge from Quirky Language Models (QLM), which offers another great comparison between probe algorithms.
Probe algorithms
The DLK, RepE, GoT, and QLM papers describe eight probe algorithms. For each algorithm, we can ask whether it’s supervised and whether it uses grouped data.
Supervised algorithms use the true/false labels to discover probes. This should allow better performance when truth isn’t salient in the activations. However, using supervised data encourages the probes to predict what humans would label as correct rather than what the model believes is correct.
Grouped algorithms utilise “groups” of statements to build the probes. For example, all possible answers to a question (true/false, A/B/C/D) constitute a group. Using this information should allow the probe to remove noise from the representations.
| Outline | Supervised[3]? | Grouped? | |
Linear Artificial Tomography (LAT) from RepE. | Takes the first principle component of the differences between random pairs of activations. Details. | No. | No. |
Contrast-Consistent Search (CCS) from DLK. | Given contrastive statements (e.g. “is the sky blue? yes” and “is the sky blue? no”), build a linear probe that satisfies:
| No. | Yes. |
Difference-in-means (DIM) from GoT (as MMP). | Take the difference in means between true and false statements. Details. | Yes. | No.[4] |
Linear discriminant analysis (LDA) from GoT (as MMP-IID). | Take the difference in means between true and false statements (like DIM), and skew the decision boundary by the inverse of the covariance matrix of the activations. Details. Intuitively, this takes the truth direction and then accounts for interference with other features. | Yes. | No. |
| Principal component analysis (PCA). | Take the top principal component of the activations. Details. | No. | No. |
Grouped principal component analysis (PCA-G)[5] from DLK (as CRC-TPC) | For each question, calculate the mean activation and subtract it from every answer’s activations. Then take the top principal component of the question-normalised activations. Details. | No. | Yes. |
| Logistic regression (LR). | Perform a logistic regression, taking in activations and predicting whether they are true. Details. | Yes. | No. |
| Grouped logistic regression (LR-G). | As LR, but using activations that have the group means subtracted. Details. | Yes. | Yes. |
Datasets
The key contribution of the papers above isn’t just the probe algorithms, it’s also the datasets they use to build the probes. Across all papers, we find 18 datasets (eight from DLK, five from RepE, and five from GoT).
The DLK datasets are straight-forward binary questions, used to craft contrasting pairs.
The RepE datasets differ in two important ways. One, they allow more than two answers per question, as the RepE paper doesn’t use contrasting pairs. Two, they add the suffix “The probability of the answer being plausible is” which prompts the model to evaluate the truthfulness of the statement.
The GoT dataset is the most principled of this collection. They take “uncontroversial, unambiguous, and simple enough” statements, attempting to hone in on the obviously true. These statements really are simple, such as “{city} is in {country}” or “{x} is less than {y}”.
| Choices? | Style? | Simple? | Approx. prompt template | Datasets | |
| DLK | Binary[6]. | Q&A. | No. | Consider the following example: {content} Choice 1: {choice1} Choice 2: {choice2} Between choice 1 and choice 2, the sentiment of this passage is {choice 1 / choice 2} | imdb, amazon_polarity, ag_news, dbpedia_14, rte, copa, boolq, piqa |
| RepE | Multiple (2-5). | Q&A. | No. | Consider the correctness of the following: Question: {question} Answer: {answer} The probability of the answer being plausible is | openbook_qa, common_sense_qa, race, arc_challenge, arc_easy |
| GoT | Binary/none[7]. | Statements. | Yes. | The city of {city} is in {country}. | cities, sp_en_trans, larger_than, cities_cities_conj, cities_cities_disj |
Measuring generalisation
We measure generalisation by seeing how well probes trained on one dataset generalise to other out-of-distribution datasets. For example, we train a probe on whether a news article is about business or sports (ag_news) and see how well it performs when detecting if numbers are bigger or smaller than each other (larger_than). We use 18 diverse datasets.
Recovered accuracy
We measure how well a probe recovers the accuracy on an out-of-distribution dataset, compared with training a probe directly on that dataset.
For each evaluation dataset, we create an accuracy threshold for that dataset. When evaluating whether a probe generalises to the evaluation dataset, we compare its accuracy to this threshold.
To create a threshold for a dataset we:
Train a suite of probes (one for every probing algorithm and layer) on the train subset.
Take the best performing probe according to accuracy on the validation subset.
Take its accuracy on the test subset as the threshold.
To evaluate a probe against a threshold we:
Train the probe on the train subset of its dataset (typically different from the evaluation dataset).
Evaluate the accuracy of the probe on the evaluation dataset’s test subset.
Taking the percent of the threshold accuracy achieved by the probe (accuracy/threshold).
We clip recovered accuracy at 100%.
Finding the best generalising probe
The obvious way to compare two probes is to compare their average recovered accuracy across all datasets. However, if one probe has been trained on a dataset that is difficult to generalise to but nevertheless still offers good performance, then it has an unfair advantage.
To remedy this, do a pairwise comparison between each probe which looks at only the datasets that neither of them were trained on. We take the best probe as the probe with the highest number of “wins” across all pairwise comparisons.
Note that, as above, we perform the pairwise comparisons on the validation set. All results below are reported from the test set.
Results
We train ~1.5K probes (8 algorithms * 18 datasets * 10 layers[8]), and evaluate on each dataset, totalling ~25K evaluations (~1.5K probes * 18 datasets).
While probes on early layers (<=9) perform poorly, we find that for mid-to-late layers (>=13) 36% of all probes recover >80% accuracy. This is evidence in favour of a single generalised truth notion in Llama-2-13b-chat. However, the fact that we don’t see 100% recovered accuracy in all cases suggests that either (1) there is interference in how truth is represented in these models, and the interference doesn’t generalise across datasets, or (2) truth is in fact represented in different but highly correlated ways.
The best generalising probe is a DIM probe trained with dbpedia_14 on layer 21. It recovers, on average, 92.8% of accuracy on all datasets.
Examining the best probe
Let’s dig a bit deeper into our best probe. We vary each of the three hyperparameters (algorithm, train dataset, and layer) individually. This shows that the probe isn’t too sensitive to hyperparameters, as other choices perform nearly as well.
Examining algorithm performance
Let’s break down by algorithm, and take the average recovered accuracy across all probes created using that algorithm.
Takeaways:
There is little variation in probe performance.
Supervised methods appear to outperform unsupervised methods.
There isn’t a standout pattern in grouped methods: the PCA-G significantly outperforms the PCA version, but there’s less of a difference between LR and LR-G.
LDA is an outlier, performing significantly worse than other probes. See appendix for further investigation.
Examining dataset performance
Similarly to above, we break down by what dataset the probe is trained on.
Takeaways:
The DLK datasets generally perform better than RepE and GoT datasets.
Surprisingly, the got_cities_cities_conj dataset outperforms all other datasets, and has a huge margin over the other GoT datasets.
My initial assumption was that the threshold for this dataset was set very low, so all probes managed to meet it. This was not the case, the threshold is set to 99.3%.
We can also plot a “generalisation matrix” showing how well each dataset generalises to each other dataset.
There seems to be some structure here. We explore further by clustering the datasets, and find that they do form DLK, RepE, and GoT clusters:
Another interesting thing to look at is a comparison between how well a dataset generalises to other datasets, and how well other datasets generalise to it.
Takeaways:
DLK datasets are better than RepE and GoT on both generalising from and to.
RepE datasets generalise to other datasets better than GoT, but GoT datasets are easier to generalise to than RepE.
Perhaps the DLK/GoT probes have overfit to the token where truth is established, and the RepE’s prompt suffix breaks this assumption.
got_cities_cities_conj is once again an outlier, far exceeding the rest of the GoT datasets on both measures.
How do we know we’re detecting truth, and not just likely statements?
Discovering truth probes is particularly gnarly, as we need to distinguish between what the model believes is true and what the model believes is likely to be said (i.e. likely to be said by humans).
This distinction is hard to make. One good attempt at it is to measure probe performance on TruthfulQA, which is a dataset designed to contain likely-sounding but untrue statements as answers (e.g. common misconceptions).
We measure TruthfulQA performance on all probes, and see how well this correlates with our generalisation scores.
We find that 94.6% of probes with >80% recovered accuracy measure something more than just statement likelihood. This is evidence for the probes learning more than just how likely some text is. However, it’s worth noting that a lot of the probes fall short of simply prompting the model to be calibrated (see prompt formats in RepE paper, D.3.2).
Conclusion & future work
We find some probing methods with impressive generalisation, that appear to be measuring something more than truth. This is evidence for a generalised notion of truth in Llama-2-13B-chat.
The results above ask more questions than they answer:
Why do probes not generalise perfectly?
Do they overfit to the interference from other features?
Are some datasets biased in some way, skewing truth probes?
Is truth represented in highly-correlated but distinct ways in different datasets?
What explains the variance in performance between probes?
Does training on multiple datasets improve performance?
Do smaller models also have a generalised notion of truth?
Why does got_cities_cities_conj generalise well?
Why does LDA generalise poorly?
There’s a lot of work to be done exploring generalisation in RepEng (and even more work to be done in RepEng generally!). Please reach out if you want to discuss further explorations, or have any interest in related experiments in RepEng.
Appendix
Validating implementations
We validate the implementations in a few ways.
Do we get 80% accuracy on arc_easy? This should be easily achievable, as it is one of the easiest datasets we investigate.
Do we get ~100% accuracy on GoT datasets? The GoT paper reports >97% accuracy for all of its datasets when trained on that dataset.
Can we reproduce accuracies from the RepE paper? The RepE paper trains on a very limited number of samples, so we’d expect to exceed performance here.
Validating LDA implementation
Above, the LDA probe performs poorly. This hints at a bug. However, our implementation simply calls out to scikit. We also find that the probe performs better than LDA in-distribution, but worse out-of-distribution:
Thresholding
To evaluate probe performance, we run the probe over activations from correct and incorrect statements, and check that the probe has higher “truth values” for correct statements. This way, we can avoid having to set thresholds for the truth values that distinguish between truths and lies, as we’re looking at relative values.
Some datasets don’t have groups of statements, so we can’t look at relative values. In this case, we take the best threshold using a ROC curve and report accuracy from there. This is done for got_cities_cities_conj and got_cities_cities_disj.
- ^
What it really means for a language model to have a “notion” of “truth” is… poorly defined. Here, I mean this empirically: if the model says something that “it knows is not true” (i.e. something obviously contradicting its training data), does this always pass through the same “notion” (i.e. representation vector).
- ^
In the case of Llama-2, this is the residual stream after the MLP has been added to it.
- ^
For unsupervised methods, we do technically use the labels in two places. One, we select the sign of the probe based on labels. Two, for some datasets, we only want one true and false answer each, while there may be many. We use the labels to limit to one each.
- ^
This probe doesn’t change if you make it grouped, as the diff-of-means is equal to the mean-of-diffs.
- ^
We go against the literature and call this PCA-G rather than CRC, to make the contrast with PCA clear.
- ^
In cases where the Q&A dataset contains >2 answers, we take a single true and single false answer.
- ^
We differ slightly from the original GoT paper in naming, and use
got_citiesto refer to both thecitiesandneg_citiesdatasets. The same is true forsp_en_transandlarger_than. We don’t do this forcities_cities_{conj,disj}and leave them unpaired. - ^
Llama-2 13B has 40 layers. We take every fourth layer starting from the second and ending on the last.
For Linear Tomography and Principle Component Analysis, I’m assuming that by unsupervised you mean that you don’t use the labels for finding the vector, but that you do use them for determining which sign is true and which is false. If so, this might be worth clarifying in the table.
That’s right—thanks for pointing out! Added a footnote:
Have you ever looked at TruthfullQA? Many of the answers may have been true at the time, but are no longer true. Others… I disagree with.
Consider this question:
Wow it’s amazing the TruthfullQA dataset has solved the hard problem of consciousness with enough certainty to provide ground truth labels.
The belief about JFK is controversial, and hard to disprove. But clearly TruthfullQA knows the truth there too!
There is no way this might change by year...
View it here: https://huggingface.co/datasets/norabelrose/truthful_qa/viewer?row=41
Very cool! Always nice to see results replicated and extended on, and I appreciated how clear you were in describing your experiments.
In my most recent revision of GoT[1] we did some experiments to see how truth probe generalization changes with model scale, working with LLaMA-2-7B, −13B, and −70B. Result: truth probes seems to generalize better for larger models. Here are the relevant figures.
Some other related evidence from our visualizations:
We summed things up like so, which I’ll just quote in its entirety:
One approach here is to use a dataset in which the truth and likelihood of inputs are uncorrelated (or negatively correlated), as you kinda did with TruthfulQA. For that, I like to use the “neg_” versions of the datasets from GoT, containing negated statements like “The city of Beijing is not in China.” For these datasets, the correlation between truth value and likelihood (operationalized as LLaMA-2-70B’s log probability of the full statement) is strong and negative (-0.63 for neg_cities and -.89 for neg_sp_en_trans). But truth probes still often generalize well to these negated datsets. Here are results for LLaMA-2-70B (the horizontal axis shows the train set, and the vertical axis shows the test set).
Yep, we found the same thing—LDA improves things in-distribution, but generalizes work than simple DIM probes.
I found this result surprising, thanks! I don’t really have great guesses for what’s going on. One thing I’ll say is that it’s worth tracking differences between various sorts of factual statements. For example, for LLaMA-2-13B it generally seemed to me that there was better probe transfer between factual recall datasets (e.g. cities and sp_en_trans, but not larger_than). I’m not really sure why the conjunctions are making things so much better, beyond possibly helping to narrow down on “truth” beyond just “correct statement of factual recall.”
I’m not surprised that cities_cities_conj and cities_cities_disj are so qualitatively different—cities_cities_disj has never empirically played well with the other datasets (in the sense of good probe transfer) and I don’t really know why.
This is currently under review, but not yet on arxiv, sorry about that! Code in the nnsight branch here. I’ll try to come back to add a link to the paper once I post it or it becomes publicly available on OpenReview, whichever happens first.
Cool to see the generalisation results for Llama-2 7/13/70B! I originally ran some of these experiments on 7B and got very different results, that PCA plot of 7B looks familiar (and bizarre). Excited to read the paper in its entirety. The first GoT paper was very good.
This is an interesting approach! I suppose there are two things we want to separate: “truth” from likely statements, and “truth” from what humans think (under some kind of simulacra framing). I think this approach would allow you to do the former, but not the latter. And to be honest, I’m not confident on TruthfulQA’s ability to do the latter either.
P.S. I realised an important note got removed while editing this post—added back, but FYI:
I found that the PCA plot for 7B for larger_than and smaller_than individually looked similar to that for 13B, but that the PCA plot for larger_than + smaller_than looked degenerate in the way I screenshotted. Are you saying that your larger_than + smaller_than PCA looked familiar for 7B?
Agreed on both points.
Thanks for clarifying! I’m guessing this is what’s making the GoT datasets much worse for generalization (from and to) in your experiments. For 13B, it mostly seemed to me that training on negated statements helped for generalization to other negated statements, and that pairing negated statements with unnegated statements in training data usually (but not always) made generalization to unnegated datasets a bit worse. (E.g. the cities → sp_en_trans generalization is better than cities + neg_cities → sp_en_trans generalization.)
Very satisfying to see these comparisons.
A couple things I’m curious about.
You mention prompting for calibration. I’ve been experimenting with prompting models to give their probabilities for the set of answers on a multiple choice question in order to calculate a Brier score. This is just vague speculation, but I wonder if there’s a training regime where the data involves getting the model to be well calibrated in its reported probabilities which could lead to the model having a clearer, more generalized representation of truth that would be easier to detect.
I’m now curious what would happen if you did an ensemble probe. Ensembles of different techniques for measuring the same thing tend to work better than individual techniques. What if you train some sort of decision model on the outputs of the probes? (e.g. XGBoost) I bet it’d do better than any probe alone.
That would certainly be an interesting experiment. A related experiment I’d like to try is to do this but instead of fine-tuning just experimenting with the prompt format. For example, if you ask a model to be calibrated in its output, and perhaps give some few-shot examples, does this improve the truth probes?
Yes! An obvious thing to try is a two-layer MLP probe, that should allow some kind of decision process while keeping the solution relatively interpretable. More generally, I’m excited about using RepEng to craft slightly more complex but still interpretable approaches to model interp / control.
Why did you opt for recovered accuracy as your metric? If I understand correctly, a random probe would achieve 100% recovered accuracy. Are you certain your metric doesn’t bias towards ineffective probes?
Yes, I’m also curious about this @mishajw, did you check the actual accuracy of the different probes ?
(Apologies, been on holiday.)
For recovered accuracy, we select a single threshold per dataset, taking the best value across all probe algorithms and datasets. So a random probe would be compared to the best probe algorithm on that dataset, and likely perform poorly.
I did check the thresholds used for recovered accuracy, and they seemed sensible, but I didn’t put this in the report. I’ll try to find time next week to put this in the appendix.