Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Rapid Optimization for Jailbreaking LLMs via Subconscious Exploitation and Echopraxia

Guangyu Shen, Siyuan Cheng, Kaiyuan Zhang, Guanhong Tao, Shengwei An, Lu Yan, Zhuo Zhang, Shiqing Ma, Xiangyu Zhang

TL;DR

The paper introduces RIPPLE, an optimization-based jailbreak method for LLMs inspired by subconscious exploitation and echopraxia, designed to rapidly uncover and exploit latent malicious knowledge. It combines target extraction from a model’s internal distribution with a refined prompt optimization pipeline, including echopraxia initialization, hybrid candidate acquisition, and stochastic beam search, and extends to black-box transfer via text denoising. Across six open-source and four commercial LLMs, RIPPLE achieves state-of-the-art attack success, greater prompt diversity, and faster convergence than prior methods, while exhibiting stealth against defenses. The work highlights notable safety risks in aligned LLMs and demonstrates the need for robust defenses and evaluation frameworks against sophisticated, transferable jailbreaking strategies.

Abstract

Large Language Models (LLMs) have become prevalent across diverse sectors, transforming human life with their extraordinary reasoning and comprehension abilities. As they find increased use in sensitive tasks, safety concerns have gained widespread attention. Extensive efforts have been dedicated to aligning LLMs with human moral principles to ensure their safe deployment. Despite their potential, recent research indicates aligned LLMs are prone to specialized jailbreaking prompts that bypass safety measures to elicit violent and harmful content. The intrinsic discrete nature and substantial scale of contemporary LLMs pose significant challenges in automatically generating diverse, efficient, and potent jailbreaking prompts, representing a continuous obstacle. In this paper, we introduce RIPPLE (Rapid Optimization via Subconscious Exploitation and Echopraxia), a novel optimization-based method inspired by two psychological concepts: subconsciousness and echopraxia, which describe the processes of the mind that occur without conscious awareness and the involuntary mimicry of actions, respectively. Evaluations across 6 open-source LLMs and 4 commercial LLM APIs show RIPPLE achieves an average Attack Success Rate of 91.5\%, outperforming five current methods by up to 47.0\% with an 8x reduction in overhead. Furthermore, it displays significant transferability and stealth, successfully evading established detection mechanisms. The code of our work is available at \url{https://github.com/SolidShen/RIPPLE_official/tree/official}

Rapid Optimization for Jailbreaking LLMs via Subconscious Exploitation and Echopraxia

TL;DR

The paper introduces RIPPLE, an optimization-based jailbreak method for LLMs inspired by subconscious exploitation and echopraxia, designed to rapidly uncover and exploit latent malicious knowledge. It combines target extraction from a model’s internal distribution with a refined prompt optimization pipeline, including echopraxia initialization, hybrid candidate acquisition, and stochastic beam search, and extends to black-box transfer via text denoising. Across six open-source and four commercial LLMs, RIPPLE achieves state-of-the-art attack success, greater prompt diversity, and faster convergence than prior methods, while exhibiting stealth against defenses. The work highlights notable safety risks in aligned LLMs and demonstrates the need for robust defenses and evaluation frameworks against sophisticated, transferable jailbreaking strategies.

Abstract

Large Language Models (LLMs) have become prevalent across diverse sectors, transforming human life with their extraordinary reasoning and comprehension abilities. As they find increased use in sensitive tasks, safety concerns have gained widespread attention. Extensive efforts have been dedicated to aligning LLMs with human moral principles to ensure their safe deployment. Despite their potential, recent research indicates aligned LLMs are prone to specialized jailbreaking prompts that bypass safety measures to elicit violent and harmful content. The intrinsic discrete nature and substantial scale of contemporary LLMs pose significant challenges in automatically generating diverse, efficient, and potent jailbreaking prompts, representing a continuous obstacle. In this paper, we introduce RIPPLE (Rapid Optimization via Subconscious Exploitation and Echopraxia), a novel optimization-based method inspired by two psychological concepts: subconsciousness and echopraxia, which describe the processes of the mind that occur without conscious awareness and the involuntary mimicry of actions, respectively. Evaluations across 6 open-source LLMs and 4 commercial LLM APIs show RIPPLE achieves an average Attack Success Rate of 91.5\%, outperforming five current methods by up to 47.0\% with an 8x reduction in overhead. Furthermore, it displays significant transferability and stealth, successfully evading established detection mechanisms. The code of our work is available at \url{https://github.com/SolidShen/RIPPLE_official/tree/official}
Paper Structure (18 sections, 7 equations, 12 figures, 8 tables, 1 algorithm)

This paper contains 18 sections, 7 equations, 12 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. Threat Model
  5. Formulate LLM jailbreaking optimization
  6. Method
  7. Target Extraction via Subconscious Exploitation
  8. Rapid Prompt Optimization via Echopraxia
  9. Black-box Transfer Attack via Text Denoising
  10. Evaluation
  11. Ripple Jailbreaking Performance
  12. Ripple Stealthiness against Defenses
  13. Ablation Study
  14. Conclusion
  15. Appendix
  16. ...and 3 more sections

Figures (12)

  • Figure 1: Overview of Ripple
  • Figure 2: Failure case of GCGgcg with affirmative phrase.
  • Figure 3: Impact of Echo. Init.
  • Figure 4: Loss values across positions
  • Figure 5: Convergence comparison
  • ...and 7 more figures