Stochastic Monkeys at Play: Random Augmentations Cheaply Break LLM Safety Alignment

TL;DR

This work investigates whether cheap, random prompt augmentations can bypass safety alignment in state-of-the-art LLMs, introducing the stochastic-monkey threat model. By evaluating 17 models across augmentation types, model sizes, quantization levels, and decoding strategies, the study shows that 25 random augmentations can significantly increase safety violations, especially with character-level edits, highlighting brittleness in alignment. It also reveals that fine-tuning-based defenses substantially raise safety, though their effectiveness can be mitigated by augmentation strength and decoding settings, while larger models are not guaranteed safer. The findings stress the need for more robust safety evaluations and defenses that generalize beyond handcrafted jailbreaks, with practical implications for both open-source and closed-source deployments.

Abstract

Safety alignment of Large Language Models (LLMs) has recently become a critical objective of model developers. In response, a growing body of work has been investigating how safety alignment can be bypassed through various jailbreaking methods, such as adversarial attacks. However, these jailbreak methods can be rather costly or involve a non-trivial amount of creativity and effort, introducing the assumption that malicious users are high-resource or sophisticated. In this paper, we study how simple random augmentations to the input prompt affect safety alignment effectiveness in state-of-the-art LLMs, such as Llama 3 and Qwen 2. We perform an in-depth evaluation of 17 different models and investigate the intersection of safety under random augmentations with multiple dimensions: augmentation type, model size, quantization, fine-tuning-based defenses, and decoding strategies (e.g., sampling temperature). We show that low-resource and unsophisticated attackers, i.e. $\textit{stochastic monkeys}$, can significantly improve their chances of bypassing alignment with just 25 random augmentations per prompt. Source code and data: https://github.com/uiuc-focal-lab/stochastic-monkeys/

Figures (19)

• Figure 1: An overview of the threat model we investigate. A malicious user (i.e. the stochastic monkey) randomly and independently augments the prompt $k$ times and observes $k$ different outputs. The attacker is successful if at least one of the outputs is compliant. Here, we show a successful example obtained from Llama 3.1 8B Instruct with $k = 25$ using greedy decoding.
• Figure 2: Average $\left(25, \gamma^*_\mathcal{A}\right)$-success rate gains of different kinds of augmentations over using no augmentations, using greedy decoding for generation.
• Figure 3: Average $(25, \gamma^*_\mathcal{A})$-success rate gains of larger models over the smallest model in their model family, using greedy decoding for generation.
• Figure 4: Average $(25, \gamma^*_\mathcal{A})$-success rate gains of quantized models over their respective original models, using greedy decoding for generation.
• Figure 5: Average $(25, \gamma^*_\mathcal{A})$-success rate gains of models with fine-tuning-based defenses over their respective original models, using greedy decoding.