Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Round Trip Translation Defence against Large Language Model Jailbreaking Attacks

Canaan Yung, Hadi Mohaghegh Dolatabadi, Sarah Erfani, Christopher Leckie

TL;DR

The paper tackles the vulnerability of LLMs to social-engineered jailbreaking prompts by introducing Round Trip Translation (RTT), a lightweight pre-processing technique that paraphrases prompts through three non-Indo-European languages before back-translation to English to reveal generalized harmful concepts. RTT achieves strong defense performance, with over 70% mitigation on PAIR and nearly 40% on MathAttack, and demonstrates transferability across multiple LLMs, including GPT-4, Vicuna, Llama2, and Palm2. Importantly, RTT preserves most of the performance on benign tasks (e.g., GSM8K) while maintaining high defense efficacy, suggesting practical applicability without retraining or architectural changes. The work positions RTT as a versatile, model-agnostic safety filter and highlights avenues for future work, such as exploring additional translation engines, diverse languages, and ensemble strategies to further bolster robustness.

Abstract

Large language models (LLMs) are susceptible to social-engineered attacks that are human-interpretable but require a high level of comprehension for LLMs to counteract. Existing defensive measures can only mitigate less than half of these attacks at most. To address this issue, we propose the Round Trip Translation (RTT) method, the first algorithm specifically designed to defend against social-engineered attacks on LLMs. RTT paraphrases the adversarial prompt and generalizes the idea conveyed, making it easier for LLMs to detect induced harmful behavior. This method is versatile, lightweight, and transferrable to different LLMs. Our defense successfully mitigated over 70% of Prompt Automatic Iterative Refinement (PAIR) attacks, which is currently the most effective defense to the best of our knowledge. We are also the first to attempt mitigating the MathsAttack and reduced its attack success rate by almost 40%. Our code is publicly available at https://github.com/Cancanxxx/Round_Trip_Translation_Defence This version of the article has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: https://doi.org/10.48550/arXiv.2402.13517 Use of this Accepted Version is subject to the publisher's Accepted Manuscript terms of use https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms

Round Trip Translation Defence against Large Language Model Jailbreaking Attacks

TL;DR

The paper tackles the vulnerability of LLMs to social-engineered jailbreaking prompts by introducing Round Trip Translation (RTT), a lightweight pre-processing technique that paraphrases prompts through three non-Indo-European languages before back-translation to English to reveal generalized harmful concepts. RTT achieves strong defense performance, with over 70% mitigation on PAIR and nearly 40% on MathAttack, and demonstrates transferability across multiple LLMs, including GPT-4, Vicuna, Llama2, and Palm2. Importantly, RTT preserves most of the performance on benign tasks (e.g., GSM8K) while maintaining high defense efficacy, suggesting practical applicability without retraining or architectural changes. The work positions RTT as a versatile, model-agnostic safety filter and highlights avenues for future work, such as exploring additional translation engines, diverse languages, and ensemble strategies to further bolster robustness.

Abstract

Large language models (LLMs) are susceptible to social-engineered attacks that are human-interpretable but require a high level of comprehension for LLMs to counteract. Existing defensive measures can only mitigate less than half of these attacks at most. To address this issue, we propose the Round Trip Translation (RTT) method, the first algorithm specifically designed to defend against social-engineered attacks on LLMs. RTT paraphrases the adversarial prompt and generalizes the idea conveyed, making it easier for LLMs to detect induced harmful behavior. This method is versatile, lightweight, and transferrable to different LLMs. Our defense successfully mitigated over 70% of Prompt Automatic Iterative Refinement (PAIR) attacks, which is currently the most effective defense to the best of our knowledge. We are also the first to attempt mitigating the MathsAttack and reduced its attack success rate by almost 40%. Our code is publicly available at https://github.com/Cancanxxx/Round_Trip_Translation_Defence This version of the article has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: https://doi.org/10.48550/arXiv.2402.13517 Use of this Accepted Version is subject to the publisher's Accepted Manuscript terms of use https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms
Paper Structure (15 sections, 2 equations, 6 figures)

This paper contains 15 sections, 2 equations, 6 figures.

Table of Contents

  1. Introduction
  2. Round Trip Translation (RTT)
  3. Experiments
  4. Text generalisation by RTT
  5. Number and type of translated languages for RTT
  6. Transferability of RTT defense in LLMs
  7. Comparing RTT with other paraphrasing techniques
  8. Comparing RTT with SmoothLLM
  9. RTT on other adversarial attacks
  10. RTT on benign input
  11. Conclusion
  12. Limitations
  13. Appendix
  14. Hypothesis proving for RTT
  15. Comparison between RTT and other paraphrasing techniques

Figures (6)

  • Figure 1: An illustrative example of RTT. The RTT prompt helps reveal the hidden idea of the adversarial prompt. The original attack (red box) induced ChatGPT4 to generate social media messages that encouraged drunk driving or drug use. After RTT (green box), we can see that RTT successfully revealed the concept of inducing drunk driving and drug use (yellow highlighted), which prevented ChatGPT4 from producing any harmful behavior.
  • Figure 2: ASR decreases under different numbers of languages in RTT. The error bars are the standard deviation of ASR in the 10 experiments conducted in each set of RTT.
  • Figure 3: ASR of RTT3d with languages in different language families in different LLMs. The error bars are the standard deviation of ASR in the 10 experiments conducted in each LLM.
  • Figure 4: Length of adversarial prompts after RTT. The adversarial prompts are generated by the PAIR attack. The data for each RTT length is obtained by averaging 10 sets of RTT prompts.
  • Figure 5: Length of adversarial prompts after RTT. The adversarial prompts are generated by the PAIR attack. The data for each RTT length is obtained by averaging 10 sets of RTT prompts.
  • ...and 1 more figures