Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dataset and Lessons Learned from the 2024 SaTML LLM Capture-the-Flag Competition

Edoardo Debenedetti, Javier Rando, Daniel Paleka, Silaghi Fineas Florin, Dragos Albastroiu, Niv Cohen, Yuval Lemberg, Reshmi Ghosh, Rui Wen, Ahmed Salem, Giovanni Cherubin, Santiago Zanella-Beguelin, Robin Schmid, Victor Klemm, Takahiro Miki, Chenhao Li, Stefan Kraft, Mario Fritz, Florian Tramèr, Sahar Abdelnabi, Lea Schönherr

TL;DR

This work studies prompt-injection vulnerabilities in large language models through a two-phase capture-the-flag competition at SaTML 2024, collecting a large, labeled dataset of defenses and multi-turn attack chats. It demonstrates that all defenses can be bypassed under adaptive, multi-turn strategies, underscoring the difficulty of securing LLMs against manipulation. The authors release a dataset of 137{,}063 chats and an open-source platform to enable ongoing research, benchmarking, and education. The findings advocate for adaptive, multi-turn evaluation and integrated, non-stand-alone mitigations beyond simple filtering, guiding future work in robust LLM security.

Abstract

Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed defenses to prevent the model from leaking the secret. During the second phase, teams were challenged to extract the secrets hidden for defenses proposed by the other teams. This report summarizes the main insights from the competition. Notably, we found that all defenses were bypassed at least once, highlighting the difficulty of designing a successful defense and the necessity for additional research to protect LLM systems. To foster future research in this direction, we compiled a dataset with over 137k multi-turn attack chats and open-sourced the platform.

Dataset and Lessons Learned from the 2024 SaTML LLM Capture-the-Flag Competition

TL;DR

This work studies prompt-injection vulnerabilities in large language models through a two-phase capture-the-flag competition at SaTML 2024, collecting a large, labeled dataset of defenses and multi-turn attack chats. It demonstrates that all defenses can be bypassed under adaptive, multi-turn strategies, underscoring the difficulty of securing LLMs against manipulation. The authors release a dataset of 137{,}063 chats and an open-source platform to enable ongoing research, benchmarking, and education. The findings advocate for adaptive, multi-turn evaluation and integrated, non-stand-alone mitigations beyond simple filtering, guiding future work in robust LLM security.

Abstract

Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed defenses to prevent the model from leaking the secret. During the second phase, teams were challenged to extract the secrets hidden for defenses proposed by the other teams. This report summarizes the main insights from the competition. Notably, we found that all defenses were bypassed at least once, highlighting the difficulty of designing a successful defense and the necessity for additional research to protect LLM systems. To foster future research in this direction, we compiled a dataset with over 137k multi-turn attack chats and open-sourced the platform.
Paper Structure (85 sections, 5 equations, 9 figures, 3 tables)

This paper contains 85 sections, 5 equations, 9 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Competition setup
  3. Defense phase.
  4. Attack Phase.
  5. Competition Outcomes
  6. The competition in numbers.
  7. A dataset for future research.
  8. An open-source platform for future experiments.
  9. Summary of findings.
  10. The Dataset
  11. Dataset Structure
  12. Defenses split.
  13. Chats split.
  14. Dataset Exploration
  15. Limitations.
  16. ...and 70 more sections

Figures (9)

  • Figure 1: CTF web interface for the defense phase. Teams can create and edit defenses (left) and then chat with the resulting model (right). A similar interface---without defense information---was provided during the attack phase.
  • Figure 2: Explored strategies for the system prompt and filtering for defense team: RSLLM.
  • Figure 3: Defense prompt analysis of defense team: RSLLM.
  • Figure 4: Details about attack team: Shrug Face Shrug. A simple set of strategies that were leveraged to break many defenses includes instructing the LLM to follow a response format like keeping the responses succinct, use of periphrasis to reference the secret (such as "6 character string"), and forcing a breakdown of individual characters while responding. Additionally, asking benign questions tricked the defense LLM to think the following asks would also be benign.
  • Figure 5: Details about attack team: Shrug Face Shrug. Using multi-turn conversation to contextualize the requests and help reveal the secret.
  • ...and 4 more figures