Best Practices for Biorisk Evaluations on Open-Weight Bio-Foundation Models

Open-weight bio-foundation models present a dual-use dilemma. While holding great promise for accelerating scientific research and drug development, they could also enable bad actors to develop more deadly bioweapons. To mitigate the risk posed by these models, current approaches focus on filtering biohazardous data during pre-training. However, the effectiveness of such an approach remains unclear, particularly against determined actors who might fine-tune these models for malicious use. To address this gap, we propose BioRiskEval, a framework to evaluate the robustness of procedures that are intended to reduce the dual-use capabilities of bio-foundation models. BioRiskEval assesses models' virus understanding through three lenses, including sequence modeling, mutational effects prediction, and virulence prediction. Our results show that current filtering practices may not be particularly effective: Excluded knowledge can be rapidly recovered in some cases via fine-tuning, and exhibits broader generalizability in sequence modeling. Furthermore, dual-use signals may already reside in the pretrained representations, and can be elicited via simple linear probing. These findings highlight the challenges of data filtering as a standalone procedure, underscoring the need for further research into robust safety and security strategies for open-weight bio-foundation models.

Key Contributions

• BioRiskEval: an evaluation framework assessing robustness of safety filtering in bio-foundation models across three threat lenses — sequence modeling, mutational effects prediction, and virulence prediction
• Empirical demonstration that fine-tuning rapidly recovers excluded biohazardous knowledge, undermining data filtering as a standalone safety intervention
• Shows dual-use signals persist in pretrained representations and are easily elicited via linear probing, independent of fine-tuning

🛡️ Threat Analysis

Details

Similar Papers