Safe RAG for LLMs
Key Takeaways
The video discusses safe retrieval augmented generation (RAG) for Large Language Models (LLMs) with Google Cloud Tech, focusing on security concerns and solutions for building AI apps with RAG, including using an orchestration layer and authentication tokens to prevent user data exposure.
Full Transcript
hi wiin I want to build an app that uses AI with retrieval augmented generation or rag but I have some security concerns what are they well one my AI app should not have full access to my database and two my AI should never see any user IDs let me show you some of my code [Music] welcome to the show wiin what do you do here at Google hello everyone I'm wiin du and I'm a software engineer on the AI and database integration team under Google cloud my work focuses on helping developers to build generative AI products that work with databases Ai and databases huh you're probably quite busy yes companies and developers across all Industries are trying to build generative AI with rag into their software right let's say I want to build a chatbot that can look up a user's information uh like flights I want to build it in Cloud run so it's serverless and Google manages the infrastructure for me I would use retrieval augmented generation or rag for that right yes rag lets the AI query or data sources so it can look up a user's upcoming flights or buy a ticket for the user for example you could ask the chatbot list the tickets I have booked you would want to wanted to respond with something like this the AI itself doesn't know users information but it can look them up in our databases but I've heard that can be dangerous well we don't want the user to be able to ask the llm for another user's flight for example if I'm asking the chatbot listed tickets booked by Martin it should respond with something like this sorry I don't have that information available it should not show me your flights and how can I Implement that because I keep reading about people jailbreaking large language models by asking specially engineered prompts uh it seems hard to defend against that we can prevent Problems by keeping each user isolated each user should have their own AI agent their own tools or accessing the database and their own slice of the database with only data about them so the idea is that if each user has their own slice of the application there will be no cross talk between users uh how can we accomplish that we can do three things first we can add an API on top of the database that way the llm will not have direct access to the data second each tool function should authenticate the user third we can orchestrate the database API and the llm so that the llm can view user IDs I've heard that all software problems can be solved by adding a layer of indirection that's what you're doing here that's right in a r architecture we call that an orchestration layer the app would ask the llm which API to use call the API then ask the llm to dress up the reply in nice readable human language that makes sense uh but the details are still a little fuzzy for me uh could you walk us through an example sure here are the system components first the user logs in this could be done with Firebase authentication Google identity platform or a similar product the user's web browser gets an authentication token back then the user enters their question like list the tickets I have booked the web browser sends that request to the back end in an HTTP request and the web browser also includes the off token in that request that's right now the application back asks the LM question it includes three things the system prompt the list of tools or apis available and the user's questions the question does not include the user's off token or user ID I like that yes that makes it safer the llm would respond with something like this call the tool list ticket the application then sends the list ticket request with the off token as the header to the retrieval service the retrieval service verifies and decodes the off token that comes with the request to get the user ID it inserts that user ID into a predefined SQL query and sends it to the database it then returns one database record for each of the users tickets but that's just data datase records uh the user expects a human readable response right right the application passes the database records of the user's upcoming flies to the llm then the llm creates a nice human readable reply the application returns that reply to the user that looks great WNIN but I have a few questions go ahead Martin in this architecture that you just showed us does the llm ever see any user off tokens or user IDs no it doesn't the AU token and user ID stay in the application and rral service got it can the llm Run queries in the database because I've heard that can be dangerous no the llm can't run queries in the database it only ask that application to call Black boss tool functions that perform authentication and executes predefined queries I like that this is a bit like regular API design even before llms I often built apis on top of my databases it's a good design principle yes llms are new but many of the security patterns we used in the past are still useful every tier of software should have the minimum level of access and needs to do its job ah the principle of least privilege still holds true now uh for me or anybody else who'd like to learn more and get our hands dirty with this how how can we do that whenin my team publish an example app it's written Python and it uses Cloud run you can download it from here you can also read a blog post we wrote about it excellent I will include those links in the video description thank you for showing us this wiin now I know how my AI can access my database safely thanks for having me Martin and thank you everyone for watching if you have any questions for whenin or me please add them to the comments below also let me know if there are any other servess topics you'd like to hear about in future episodes I read every every single comment until next time [Music]
Original Description
Blog post → https://goo.gle/4gfJoQh
Code repo → https://goo.gle/4gnh12v
Codelab → https://goo.gle/3XETh2r
Large Language Models (LLMs) are pretty smart, but they don’t know everything. For example, an LLM might know why the sky is blue, but it probably doesn’t know more specific things, like which flight the user has booked. Many AI applications use Retrieval-Augmented Generation (RAG) to feed that sort of user-specific data to LLMs, so they can provide better answers.
However, malicious users can use specially engineered prompts to trick an LLM to reveal more data than intended. This gets especially dangerous if the LLM has access to databases through RAG. In this video, Wenxin Du shows Martin Omander how to make RAG safer and reduce the risk of an LLM leaking sensitive data that it gathered via RAG.
Chapters:
0:00 - Intro
1:15 - RAG
1:57 - Making RAG safer
3:11 - Architecture review
4:47 - Questions & Answers
5:47 - How to get started
6:09 - Wrap up
Watch more Serverless Expeditions → https://goo.gle/ServerlessExpeditions
Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech
#ServerlessExpeditions #CloudRun
Speaker: Wenxin Du, Martin Omander
Products Mentioned: Cloud - Containers - Cloud Run, Generative AI - General
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Google Cloud Tech · Google Cloud Tech · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
I’m going for it #GoogleCloudCertified
Google Cloud Tech
I had to get #GoogleCloudCertified
Google Cloud Tech
Be better overall at what you do #GoogleCloudCertified
Google Cloud Tech
Cloud Monitoring on our radar #Analysis #Uptime
Google Cloud Tech
Introduction to Generative AI Studio
Google Cloud Tech
How to use Github Actions with Google's Workload Identity Federation
Google Cloud Tech
Introduction to Responsible AI
Google Cloud Tech
Networking updates and CDMC-certified architecture
Google Cloud Tech
Create and use a Cloud Storage bucket
Google Cloud Tech
How to digitize text from documents
Google Cloud Tech
Faster analytical queries with AlloyDB
Google Cloud Tech
Next ‘23 sessions and FaaS Wave
Google Cloud Tech
Introduction to Assured Open Source Software
Google Cloud Tech
BigQuery Cost Optimization: Storage
Google Cloud Tech
BigQuery Cost Optimization: Compute
Google Cloud Tech
BigQuery Cost Optimization: Select Queries
Google Cloud Tech
Remote Field Equipment Management with Manufacturing Data Engine
Google Cloud Tech
Supercharging your applications with Cloud SQL Enterprise Plus
Google Cloud Tech
Vector Support on our radar #GenAI
Google Cloud Tech
Architecting a blockchain startup with Google Cloud
Google Cloud Tech
Kubernetes and multitasking updates!
Google Cloud Tech
GKE: Using Kubernetes Events
Google Cloud Tech
How to configure firewall rules for Cloud Composer
Google Cloud Tech
Vertex AI Embeddings API + Matching Engine: Grounding LLMs made easy
Google Cloud Tech
Geospatial analytics on our radar #EarthEngine #BigQuery
Google Cloud Tech
Ensuring requests are set in Kubernetes
Google Cloud Tech
Cloud Next 2023, Google research program, and more!
Google Cloud Tech
How to migrate projects between organizations with Resource Manager
Google Cloud Tech
How to run #MySQL in Google Cloud
Google Cloud Tech
#GenerativeAI for enterprises and #Next2023
Google Cloud Tech
How Google Photos scales to store 4 trillion photos and videos
Google Cloud Tech
Google Cross-Cloud Interconnect (Demo 2)
Google Cloud Tech
GKE Cost Optimization Golden Signals: Introduction
Google Cloud Tech
GKE Cost Optimization Golden Signals: Workload Rightsizing
Google Cloud Tech
GKE Load Balancing: Overview
Google Cloud Tech
GKE Load Balancing: Best Practices
Google Cloud Tech
Disaster Recovery in GKE
Google Cloud Tech
How to configure IP masquerade agent in GKE Standard clusters
Google Cloud Tech
Enable and use GKE Control plane logs
Google Cloud Tech
Compliance in Australia with Assured Workloads
Google Cloud Tech
Creating budgets and budget alerts in Google Cloud #FinOps
Google Cloud Tech
Cloud SQL Enterprise Plus on our radar #mySQL
Google Cloud Tech
What's Next for Google Cloud?
Google Cloud Tech
How Loveholidays scaled with Contact Center AI
Google Cloud Tech
What is fleet team management in GKE?
Google Cloud Tech
Troubleshoot VPC Network Peering
Google Cloud Tech
Introduction to DocAI and Contact Center AI
Google Cloud Tech
Cloud Run Direct VPC egress explained
Google Cloud Tech
Database deployment options in GKE
Google Cloud Tech
Analyze cloud billing data with #BigQuery
Google Cloud Tech
Tips to becoming a world-class Prompt Engineer
Google Cloud Tech
Serverless is simple. Do I need CI/CD?
Google Cloud Tech
Accelerating model deployment with MLOps
Google Cloud Tech
How Hawaii's Department of Human Services scaled with CCAI
Google Cloud Tech
Pricing API on our #Radar
Google Cloud Tech
How Recommendations AI for Media can boost customer retention
Google Cloud Tech
Troubleshooting: Node Not Ready Status
Google Cloud Tech
One weekend until Cloud Next 2023!
Google Cloud Tech
#GoogleCloudNext starts tomorrow!
Google Cloud Tech
#GoogleCloudNext will be demand!
Google Cloud Tech
More on: AI Safety Engineering
View skill →Related Reads
📰
📰
📰
📰
The RBAC Playbook for Enterprise LLM Access
Dev.to AI
Migrating From LiteLLM to a Production Gateway: A Step-by-Step Guide
Dev.to AI
What Is GPT? A Practical Guide to Tokens, Transformers, Training, and Fine-Tuning
Dev.to · Bahadir Kusat
OmniRoute: The Open-Source AI Gateway Slashing Token Costs by 95%
Dev.to · Terminal Chai
Chapters (7)
Intro
1:15
RAG
1:57
Making RAG safer
3:11
Architecture review
4:47
Questions & Answers
5:47
How to get started
6:09
Wrap up
🎓
Tutor Explanation
DeepCamp AI