MoJE: Mixture of Jailbreak Experts, Naive Tabular Classifiers as Guard for Prompt Attacks

TL;DR

MoJE (Mixture of Jailbreak Expert), a novel guardrail architecture designed to surpass current limitations in existing state-of-the-art guardrails, is introduced, demonstrating superior performance capable of detecting 90% of the attacks without compromising benign prompts, enhancing LLMs security against jailbreak attacks.

Abstract

The proliferation of Large Language Models (LLMs) in diverse applications underscores the pressing need for robust security measures to thwart potential jailbreak attacks. These attacks exploit vulnerabilities within LLMs, endanger data integrity and user privacy. Guardrails serve as crucial protective mechanisms against such threats, but existing models often fall short in terms of both detection accuracy, and computational efficiency. This paper advocates for the significance of jailbreak attack prevention on LLMs, and emphasises the role of input guardrails in safeguarding these models. We introduce MoJE (Mixture of Jailbreak Expert), a novel guardrail architecture designed to surpass current limitations in existing state-of-the-art guardrails. By employing simple linguistic statistical techniques, MoJE excels in detecting jailbreak attacks while maintaining minimal computational overhead during model inference. Through rigorous experimentation, MoJE demonstrates superior performance capable of detecting 90% of the attacks without compromising benign prompts, enhancing LLMs security against jailbreak attacks.

Figures (5)

• Figure 1: Figure \ref{['fig:subfiga']} shows the training phase where a model is trained for each jailbreak dataset. This employs both a grid search over model hyperparameters and a model selection process. This trained model is denoted as the $f_{\theta}^j$ expert in the Mixture of Jailbreak Experts. Figure \ref{['fig:subfigb']} represents the inference phase. If the max posterior probability of MoJE is higher than a set threshold $\tau$, we take the maximum prediction probability. Otherwise, framework averages the prediction probability of all the expert models.
• Figure 2: TP rate for each jailbreak dataset (i.e., harmful behaviors, gandalf ignore instructions, gcg-vicuna, and jailbreak prompts) given our tabular models (i.e., LR, XGB, and MoJE), the open-weight models (i.e., ProtectAI and Llama-Guard), and closed source one (i.e., OpenAI moderator and Azure AI Content Safety).
• Figure 3: FP rate for each benign dataset (i.e., puffin, alpaca, and awesome chatgpt prompt) given our tabular models (i.e., LR, XGB, and MoJE), the open-weight models (i.e., ProtectAI and Llama-Guard), and closed source one (i.e., OpenAI moderator and Azure AI Content Safety).
• Figure 4: Relation between number of feature extracted (i.e., $m$) and $F_{\beta}$ based on the different Tokenizer (i.e., Char, Word, BERT, GPT2, and Llama2) and features extraction functions (i.e., uni-gram, TF-IDF uni-gram, bi-gram, uni+bi-gram). The figure is divided into three sub-figures due to the sparsity of the results with respect to the x-axis.
• Figure 5: Effect on AUC, $F_\beta$, Recall, and Precision with different percentage of feature selected (i.e., %$\mathbf{m}$) ranked according to the Mutual Information Theorem. The base model refer to Word as tokenizer and uni-gram as $h(\cdot)$ where 100% of $m$ correspond to 30298 features (see Table \ref{['tab:tokenizer_ngram']}).