Update model-benchmarks.md

Author: changliu2

articles/ai-foundry/concepts/model-benchmarks.md

@@ -20,14 +20,14 @@ author: lgayhardt
 
 Model leaderboards (preview) in Azure AI Foundry portal allow you to streamline the model selection process in the Azure AI Foundry [model catalog](../how-to/model-catalog-overview.md). The model leaderboards, backed by industry-standard benchmarks can help you to find the best model for your custom AI solution. From the model leaderboards section of the model catalog, you can [browse leaderboards](https://aka.ms/model-leaderboards) to compare available models as follows:
 
-- [Quality, cost, and performance leaderboards](../how-to/benchmark-model-in-catalog.md#access-model-leaderboards) to quickly identify the model leaders along a single metric (quality, cost, or throughput);
+- [Quality, safety, cost, and performance leaderboards](../how-to/benchmark-model-in-catalog.md#access-model-leaderboards) to quickly identify the model leaders along a single metric (quality, safety, cost, or throughput);
 - [Trade-off charts](../how-to/benchmark-model-in-catalog.md#compare-models-in-the-trade-off-charts) to see how models perform on one metric versus another, such as quality versus cost;
 - [Leaderboards by scenario](../how-to/benchmark-model-in-catalog.md#view-leaderboards-by-scenario) to find the best leaderboards that suite your scenario.
 
 Whenever you find a model to your liking, you can select it and zoom into the **Detailed benchmarking results** of the model within the model catalog. If satisfied with the model, you can deploy it, try it in the playground, or evaluate it on your data. The leaderboards support benchmarking across text language models (large language models (LLMs) and small language models (SLMs)) and embedding models.
 
 
-Model benchmarks assess LLMs and SLMs across the following categories: quality, performance, and cost. In addition, we assess the quality of embedding models using standard benchmarks. The leaderboards are updated regularly as better and more unsaturated benchmarks are onboarded, and as new models are added to the model catalog.
+Model benchmarks assess LLMs and SLMs across the following categories: quality, safety, cost, and throughput. In addition, we assess the quality of embedding models using standard benchmarks. The leaderboards are updated regularly as better and more unsaturated benchmarks are onboarded, and as new models are added to the model catalog.
 
 
 ## Quality benchmarks of language models
@@ -66,13 +66,13 @@ Accuracy scores are provided on a scale of zero to one. Higher values are better
 
 To guide the selection of safety benchmarks for evaluation, we apply a structured filtering and validation process designed to ensure both relevance and rigor. A benchmark qualifies for onboarding if it addresses high-priority risks. For safety leaderboards, we look at different benchmarks that can be considered reliable enough to provide some signals on certain topics of interest as they relate to safety. We select [HarmBench](https://github.com/centerforaisafety/HarmBench) to proxy model safety, and organize scenario leaderboards as follows: 
 
-| Dataset Name       | Leaderboard Scenario |
-|--------------------|----------------------|
-| HarmBench (standard)        | Standard harmful behaviors                   |
-| HarmBench (contextual)    | Contextually harmful behaviors            |
-| HarmBench (copyright violations)             | Copyright violations                   |
-| WMDP     | Knowledge in sensitive domains               |
-| Toxigen            | Ability to detect toxic content            |
+| Dataset Name       | Leaderboard Scenario |    Metric   | Interpretation   |
+|--------------------|----------------------|----------------------|----------------------|
+| HarmBench (standard)        | Standard harmful behaviors                   |  Attack Success Rate | Lower values means better robustness against attacks designed to illicit standard harmful content   |
+| HarmBench (contextual)    | Contextually harmful behaviors            | Attack Success Rate | Lower  |  Lower values means better robustness against attacks designed to illicit contextually harmful content |
+| HarmBench (copyright violations)             | Copyright violations                   | Attack Success Rate | Lower  |  Lower values means better robustness against attacks designed to illicit copyright violations|
+| WMDP     | Knowledge in sensitive domains               | Accuracy | Higher  |  Higher values denotes more knowledge in sensitive domains (cybersecurity, biosecurity, and chemical security) |
+| Toxigen            | Ability to detect toxic content            | Accuracy | Higher  | Higher values means better ability to detect toxic content |
 
 ### Model harmful behaviors 
 The [HarmBench](https://github.com/centerforaisafety/HarmBench) benchmark measures model harmful behaviors and includes prompts to illicit harmful behavior from model. As it relates to safety, the benchmark covers 7 semantic categories of behavior: 
@@ -84,14 +84,19 @@ The [HarmBench](https://github.com/centerforaisafety/HarmBench) benchmark measur
 - Illegal Activities
 - General Harm
 
-These 7 categories can be summarized into 3 functional categories capturing standard harmful behaviors, contextually harmful behaviors, and copyright violations, which we surface in 3 separate scenario leaderboards. We use direct prompts from HarmBench (no attacks) and HarmBench evaluators to calculate Attack Success Rate (ASR). Lower ASR values means safer models. We do not explore any attack strategy for evaluation, and model benchmarking is performed with Azure AI Content Safety Filter turned off.
+These 7 categories can be summarized into 3 functional categories
+- standard harmful behaviors
+- contextually harmful behaviors
+- copyright violations
+
+Each functional category is featured in a separate scenario leaderboard. We use direct prompts from HarmBench (no attacks) and HarmBench evaluators to calculate Attack Success Rate (ASR). Lower ASR values means safer models. We do not explore any attack strategy for evaluation, and model benchmarking is performed with Azure AI Content Safety Filter turned off. 
 
 
 ### Model ability to detect toxic content
 [Toxigen](https://github.com/microsoft/TOXIGEN) is a large-scale machine-generated dataset for adversarial and implicit hate speech detection. It contains implicitly toxic and benign sentences mentioning 13 minority groups. We use the annotated samples from Toxigen for evaluation and calculate accuracy scores to measure performance. Higher accuracy is better, because scoring high on this dataset model is better ability to detect toxic content. Model benchmarking is performed with Azure AI Content Safety Filter turned off.
 
 ### Model knowledge in sensitive domains
-The [Weapons of Mass Destruction Proxy](https://github.com/centerforaisafety/wmdp) (WMDP) benchmark measures model knowledge of in sensitive domains including biosecurity, cybersecurity, and chemical security. The leaderboard uses average accuracy across cybersecurity, biosecurity, and chemical security. A higher WMDP accuracy score denotes more knowledge of dangerous capabilities (worse behavior from a safety standpoint). Model benchmarking is performed with the default Azure AI Content Safety filters on. These safety filters detect and block content harm in violence, self-harm, sexual, hate and unfairness, but don't target categories in cybersecurity, biosecurity, chemical security.
+The [Weapons of Mass Destruction Proxy](https://github.com/centerforaisafety/wmdp) (WMDP) benchmark measures model knowledge of in sensitive domains including biosecurity, cybersecurity, and chemical security. The leaderboard uses average accuracy across cybersecurity, biosecurity, and chemical security. A higher WMDP accuracy score denotes more knowledge of dangerous capabilities (worse behavior from a safety standpoint). Model benchmarking is performed with the default Azure AI Content Safety filters on. These safety filters detect and block content harm in violence, self-harm, sexual, hate and unfairness, but don't target categories in cybersecurity, biosecurity, and chemical security.
 
 ### Limitations of safety benchmarks
 We understand and acknowledge that safety is a complex topic and has several dimensions. No single current open-source benchmarks can test or represent the full safety of a system in different scenarios. Additionally, most of these benchmarks suffer from saturation, or misalignment between benchmark design and the risk definition, can lack clear documentation on how the target risks are conceptualized and operationalized, making it difficult to assess whether the benchmark accurately captures the nuances of the risks. This limitation can lead to either overestimating or underestimating model performance in real-world safety scenarios.