We are given a near-optimal policy trained on a MDP. We start with simple gridworlds and scale up to complex ones like Breakout. For evaluation using a learned value function we will consider actor-critic agents, like the ones trained by PPO.  Our goal is to find activations within the policy network that predict the true value accurately. The following steps are described in terms of the state-value function, but could be analogously performed for predicting q-values. Note, that this problem is very similar to offline reinforcement learning with pretraining, and could thus benefit from the related literature.

1. To start we sample multiple dataset of trajectories (incl. rewards) by letting the policy and $m$ noisy versions thereof interact with the environment.
2. Compute activations for each state in the trajectories.
3. Normalise and project respective activations to $m+1$ value estimates, of the policy and its noisy versions: $v_{{\theta }_i}\left(\tilde{\varphi }\right)=\tanh ({\theta }_i^T{\tilde{\varphi }}_i+b_i)\text{with}\tilde{\varphi }\left(s\right)=\frac{\varphi \left(s\right)-\mu }{\sigma }$
4. Calculate a consistency loss to be minimised with some of the following terms
   1. Mean squared TD error  $L_a\left(\theta \right)\propto {\sum }_{n=1}^N{\sum }_{t=1}^{T_n}{\left[v_{\theta }\right(\tilde{\varphi }\left(s_t^n\right))-(R_t^n+1[t<T_n]\gamma v_{\theta }\left(\tilde{\varphi }\right(s_{t+1}^n\left)\right)\left)\right]}^2$
      This term enforces consistency with the Bellman expectation equation. However, in addition to the value function it depends on the use of true reward “labels”.
   2. Mean squared error of probe values with trajectory returns$L_b\left(\theta \right)\propto {\sum }_{n=1}^N{\sum }_{t=1}^{T_n}{\left[v_{\theta }\right(\tilde{\varphi }\left(s_t^n\right))-G_t^n]}^2$
      This term enforces the definition of the value function, namely it being the expected cumulative reward of the (partial) trajectory. Using this term might be more stable than (a) since it avoids the recurrence relation.
   3. Negative variance of probe values $L_c\left(\theta \right)\propto -{\sum }_{n=1}^N{\sum }_{t=1}^{T_n}{\left[v_{\theta }\right(\tilde{\varphi }\left(s_t^n\right))-{\overline{v}}_{\theta }]}^2$
      This term can help to avoid degenerate loss minimizers, e.g. in the case of sparse rewards.
   4. Enforce inequalities between different policy values using learned slack variables $L_d(\theta ,{\theta }_i,{\lambda }_i)\propto {\sum }_s{\sum }_{i\in \{1,m\}}\left(v_{\theta }\right(s)-v_{{\theta }_i}(s)-{\sigma }_{{\lambda }_i}(s{)}^2{)}^2$
      This term ensures that the policy consistently dominates its noisy versions and is completely unsupervised.
5. Train the linear probes using the training trajectories
6. Evaluate on held out test trajectories by comparing the value function to the actual returns. If the action space is simple enough, use the value function to plan in the environment and compare resulting behaviour to that of the policy.

Thanks for your comment! Re: artificial data, agreed that would be a good addition.

Sorry for the gifs maybe I should have embedded YouTube videos instead

Re: middle layer, We actually probed on the middle layers but the "which side the ball is / which side the ball is approaching" features are really salient here.

Re: single player, Yes Robert had some thought about it but the multiplayer setting ended up lasting until the end of the SPAR cohort. I'll send his notes in an extra comment.

As explained by Sumio Watanabe (

This link is rotten, maybe link to its personal page instead ?
https://sites.google.com/view/sumiowatanabe/home

I defined earlier.

This link is broken as it links to the draft in edit mode

I'm wondering, can we make safety tuning more robust to "add the accept every instructions steering vector" attack by training the model in an adversarial way in which an adversarial model tries to learn steering vector that maximize harmfulness ?

One concern would be that by doing that we make the model less interpretable, but on the other hand that might makes the safety tuning much more robust?

Yes, I'm also curious about this @mishajw, did you check the actual accuracy of the different probes ?

You can get ~75% just by computing the or. But we found that only at the last layer and step16000 of Pythia-70m training it achieves better than 75%, see this video

Would you expect that we can extract xors from small models like pythia-70m under your hypothesis?

I disagree; it could be beneficial for a base model to identify when a character is making false claims, enabling the prediction of such claims in the future.