Deciphering the Chaos: Enhancing Jailbreak Attacks via Adversarial Prompt Translation

TL;DR

This work tackles the challenge of garbled gradient-based adversarial prompts that hinder cross-model transfer in jailbreaking safety-aligned LLMs. It introduces an interpretation+translation framework that converts garbled suffixes into coherent natural-language adversarial prompts using an off-the-shelf translator LLM, enabling effective transfers with at most 10 queries. Experiments on HarmBench and AdvBench show substantial gains over state-of-the-art methods, achieving an average ASR of about 81.8% on HarmBench and over 90% on Llama-2-Chat while producing low-perplexity prompts. The study provides a new perspective on jailbreak prompt design and transferability, with practical implications for evaluating and understanding LLM safety vulnerabilities.

Abstract

Automatic adversarial prompt generation provides remarkable success in jailbreaking safely-aligned large language models (LLMs). Existing gradient-based attacks, while demonstrating outstanding performance in jailbreaking white-box LLMs, often generate garbled adversarial prompts with chaotic appearance. These adversarial prompts are difficult to transfer to other LLMs, hindering their performance in attacking unknown victim models. In this paper, for the first time, we delve into the semantic meaning embedded in garbled adversarial prompts and propose a novel method that "translates" them into coherent and human-readable natural language adversarial prompts. In this way, we can effectively uncover the semantic information that triggers vulnerabilities of the model and unambiguously transfer it to the victim model, without overlooking the adversarial information hidden in the garbled text, to enhance jailbreak attacks. It also offers a new approach to discovering effective designs for jailbreak prompts, advancing the understanding of jailbreak attacks. Experimental results demonstrate that our method significantly improves the success rate of jailbreak attacks against various safety-aligned LLMs and outperforms state-of-the-arts by large margins. With at most 10 queries, our method achieves an average attack success rate of 81.8% in attacking 7 commercial closed-source LLMs, including GPT and Claude-3 series, on HarmBench. Our method also achieves over 90% attack success rates against Llama-2-Chat models on AdvBench, despite their outstanding resistance to jailbreak attacks. Code at: https://github.com/qizhangli/Adversarial-Prompt-Translator.

Figures (8)

• Figure 1: Attack success rates of using original harmful request (Direct Request), using garbled adversarial prompts generated by GCG-Advanced li2024improved (Garbled prompt), and using the translations of the garbled adversarial prompts (Translated prompt) on HarmBench using (a) Llama-2-7B-Chat, (b) Llama-2-13B-Chat, (c) Mistral-7B-Instruct, (d) Vicuna-13B-v1.5, and (e) Llama-3.1-8B-Instruct as the translator LLM. The garbled adversarial prompts are generated using the corresponding translator LLMs. Best viewed in color.
• Figure 2: Attack success rates of using various translator LLMs to translate adversarial prompts generated by different LLMs against GPT-4o-mini. Best viewed in color.
• Figure 3: The effect of suffix concatenation and pre-rephresing on attack success rates. "Ours$^\dagger$ + suffix concatenation + pre-rephrasing" is equal to our method in Table \ref{['tab:compare_1']}. Best viewed in color.
• Figure 4: The effect of interpretation step on attack success rates.
• Figure 5: A case for using our translated adversarial prompt jailbreak GPT-4o on the web interface . The garbled adversarial suffix is the same as shown in Table \ref{['tab:3']}. The upper part shows GPT-4o refusing the original harmful request. The middle part shows the failure of the garbled adversarial prompt. The lower part shows the success of our translated adversarial prompt.