Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

h4rm3l: A language for Composable Jailbreak Attack Synthesis

Moussa Koulako Bala Doumbouya, Ananjan Nandi, Gabriel Poesia, Davide Ghilardi, Anna Goldie, Federico Bianchi, Dan Jurafsky, Christopher D. Manning

TL;DR

h4rm3l introduces a human-readable DSL for composing jailbreak attacks as sequences of parameterized string-transform primitives, enabling scalable, interpretable red-teaming of black-box LLMs. A bandit-guided, few-shot program-synthesis framework automatically discovers novel attacks optimized for target models, while an automated LLM-behavior classifier aligns ASR estimates with human judgment. The authors compile a large, diverse dataset of synthesized attacks and demonstrate high attack success rates across six SOTA LLMs, underscoring the need for targeted, model-specific safety benchmarking. The work provides open-source tooling for synthesis and benchmarking, highlighting both the potential for improving AI safety and the risks of releasing scalable jailbreak capabilities.

Abstract

Despite their demonstrated valuable capabilities, state-of-the-art (SOTA) widely deployed large language models (LLMs) still have the potential to cause harm to society due to the ineffectiveness of their safety filters, which can be bypassed by prompt transformations called jailbreak attacks. Current approaches to LLM safety assessment, which employ datasets of templated prompts and benchmarking pipelines, fail to cover sufficiently large and diverse sets of jailbreak attacks, leading to the widespread deployment of unsafe LLMs. Recent research showed that novel jailbreak attacks could be derived by composition; however, a formal composable representation for jailbreak attacks, which, among other benefits, could enable the exploration of a large compositional space of jailbreak attacks through program synthesis methods, has not been previously proposed. We introduce h4rm3l, a novel approach that addresses this gap with a human-readable domain-specific language (DSL). Our framework comprises: (1) The h4rm3l DSL, which formally expresses jailbreak attacks as compositions of parameterized string transformation primitives. (2) A synthesizer with bandit algorithms that efficiently generates jailbreak attacks optimized for a target black box LLM. (3) The h4rm3l red-teaming software toolkit that employs the previous two components and an automated harmful LLM behavior classifier that is strongly aligned with human judgment. We demonstrate h4rm3l's efficacy by synthesizing a dataset of 2656 successful novel jailbreak attacks targeting 6 SOTA open-source and proprietary LLMs, and by benchmarking those models against a subset of these synthesized attacks. Our results show that h4rm3l's synthesized attacks are diverse and more successful than existing jailbreak attacks in literature, with success rates exceeding 90% on SOTA LLMs.

h4rm3l: A language for Composable Jailbreak Attack Synthesis

TL;DR

h4rm3l introduces a human-readable DSL for composing jailbreak attacks as sequences of parameterized string-transform primitives, enabling scalable, interpretable red-teaming of black-box LLMs. A bandit-guided, few-shot program-synthesis framework automatically discovers novel attacks optimized for target models, while an automated LLM-behavior classifier aligns ASR estimates with human judgment. The authors compile a large, diverse dataset of synthesized attacks and demonstrate high attack success rates across six SOTA LLMs, underscoring the need for targeted, model-specific safety benchmarking. The work provides open-source tooling for synthesis and benchmarking, highlighting both the potential for improving AI safety and the risks of releasing scalable jailbreak capabilities.

Abstract

Despite their demonstrated valuable capabilities, state-of-the-art (SOTA) widely deployed large language models (LLMs) still have the potential to cause harm to society due to the ineffectiveness of their safety filters, which can be bypassed by prompt transformations called jailbreak attacks. Current approaches to LLM safety assessment, which employ datasets of templated prompts and benchmarking pipelines, fail to cover sufficiently large and diverse sets of jailbreak attacks, leading to the widespread deployment of unsafe LLMs. Recent research showed that novel jailbreak attacks could be derived by composition; however, a formal composable representation for jailbreak attacks, which, among other benefits, could enable the exploration of a large compositional space of jailbreak attacks through program synthesis methods, has not been previously proposed. We introduce h4rm3l, a novel approach that addresses this gap with a human-readable domain-specific language (DSL). Our framework comprises: (1) The h4rm3l DSL, which formally expresses jailbreak attacks as compositions of parameterized string transformation primitives. (2) A synthesizer with bandit algorithms that efficiently generates jailbreak attacks optimized for a target black box LLM. (3) The h4rm3l red-teaming software toolkit that employs the previous two components and an automated harmful LLM behavior classifier that is strongly aligned with human judgment. We demonstrate h4rm3l's efficacy by synthesizing a dataset of 2656 successful novel jailbreak attacks targeting 6 SOTA open-source and proprietary LLMs, and by benchmarking those models against a subset of these synthesized attacks. Our results show that h4rm3l's synthesized attacks are diverse and more successful than existing jailbreak attacks in literature, with success rates exceeding 90% on SOTA LLMs.
Paper Structure (40 sections, 5 equations, 11 figures, 5 tables, 1 algorithm)

This paper contains 40 sections, 5 equations, 11 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Method
  4. Representation of Black-Box Jailbreak Attacks in h4rm3l
  5. Synthesis of Black-Box Jailbreak Attacks with h4rm3l
  6. Random Bandits:
  7. ASR Rewarded Bandits:
  8. Offspring ASR Rewarded Bandits:
  9. Estimation of Attack Success Rates in Coherence with Human Judgment
  10. Safety Benchmarking of LLMs with h4rm3l
  11. Results
  12. Qualitative Analysis of Synthesized Jailbreak Attacks:
  13. Discussion
  14. Conclusion
  15. Ethics Statement
  16. ...and 25 more sections

Figures (11)

  • Figure 1: h4rm3l-synthesized jailbreak attacks targeting 6 LLMs. SOTA attacks were used as initial few-shot examples. Those examples and the 10 highest-scoring synthesized attacks targeting each LLM were selected to benchmark all 6 LLMs for safety. Red intensities indicate attack success rates. Attacks are labeled with identifiers (e.g. sota_AIM, 00536) to facilitate locating them in our datasets.
  • Figure 2: Illustration of a malicious use of a h4rm3l-synthesized attack on Claude-3-Sonnet to get explicit assistance with online harassment, which violates Anthropic's acceptable use policy.
  • Figure 3: Mean Attack Success Rate ($\mu_{ASR}$) of top 20 attacks synthesized by each method up to each iteration. ASR Rewarded Bandits and Offspring ASR Rewarded Bandits outperform Random Bandits. Using only the low-level expression (LLE) of few-shot examples significantly degraded $\mu_{ASR}$.
  • Figure 4: Mean attack success rates ($\mu_{ASR}$) of top 20 attacks synthesized by ASR Rewarded Bandits up to each synthesis iteration targeting 6 LLMs. h4rm3l required over 60 iterations to achieve $\mu_{ASR}>80\%$ on Claude-3-Sonnet and Llama-3-8B, but under 10 iterations on GPT-3.5 and GPT-4o.
  • Figure 5: t-SNE projection of CodeBERT embeddings of attacks with over 40% ASR. Left: $1,936$ attacks synthesized using 4 program synthesis algorithms targeting GPT-4o. Right: Top 2,656 attacks synthesized by ASR Rewarded Bandits targeting 6 SOTA LLMs. Attack counts in parentheses.
  • ...and 6 more figures