Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploiting the Index Gradients for Optimization-Based Jailbreaking on Large Language Models

Jiahui Li, Yongchang Hao, Haoyu Xu, Xing Wang, Yu Hong

TL;DR

This work tackles the inefficiency of optimization-based jailbreaks for large language models by dissecting the GCG method and identifying the Indirect Effect bottleneck. It introduces MAGIC, which uses Gradient-based Index Selection to focus updates on positively contributing suffix tokens and Adaptive Multi-Coordinate Update to perform simultaneous multi-token replacements, thereby reducing iterations and computation. Empirical results on AdvBench show that MAGIC achieves up to a 1.5x speedup while delivering ASR on par with or better than baselines (e.g., 74% on LLama-2 and 54% transfer to GPT-3.5), and it generalizes to transfer scenarios and can be combined with other enhancements. The method is validated across multiple open- and closed-source LLMs, highlighting its potential to stress-test safety properties and inform defenses, with careful attention to ethics and limitations.

Abstract

Despite the advancements in training Large Language Models (LLMs) with alignment techniques to enhance the safety of generated content, these models remain susceptible to jailbreak, an adversarial attack method that exposes security vulnerabilities in LLMs. Notably, the Greedy Coordinate Gradient (GCG) method has demonstrated the ability to automatically generate adversarial suffixes that jailbreak state-of-the-art LLMs. However, the optimization process involved in GCG is highly time-consuming, rendering the jailbreaking pipeline inefficient. In this paper, we investigate the process of GCG and identify an issue of Indirect Effect, the key bottleneck of the GCG optimization. To this end, we propose the Model Attack Gradient Index GCG (MAGIC), that addresses the Indirect Effect by exploiting the gradient information of the suffix tokens, thereby accelerating the procedure by having less computation and fewer iterations. Our experiments on AdvBench show that MAGIC achieves up to a 1.5x speedup, while maintaining Attack Success Rates (ASR) on par or even higher than other baselines. Our MAGIC achieved an ASR of 74% on the Llama-2 and an ASR of 54% when conducting transfer attacks on GPT-3.5. Code is available at https://github.com/jiah-li/magic.

Exploiting the Index Gradients for Optimization-Based Jailbreaking on Large Language Models

TL;DR

This work tackles the inefficiency of optimization-based jailbreaks for large language models by dissecting the GCG method and identifying the Indirect Effect bottleneck. It introduces MAGIC, which uses Gradient-based Index Selection to focus updates on positively contributing suffix tokens and Adaptive Multi-Coordinate Update to perform simultaneous multi-token replacements, thereby reducing iterations and computation. Empirical results on AdvBench show that MAGIC achieves up to a 1.5x speedup while delivering ASR on par with or better than baselines (e.g., 74% on LLama-2 and 54% transfer to GPT-3.5), and it generalizes to transfer scenarios and can be combined with other enhancements. The method is validated across multiple open- and closed-source LLMs, highlighting its potential to stress-test safety properties and inform defenses, with careful attention to ethics and limitations.

Abstract

Despite the advancements in training Large Language Models (LLMs) with alignment techniques to enhance the safety of generated content, these models remain susceptible to jailbreak, an adversarial attack method that exposes security vulnerabilities in LLMs. Notably, the Greedy Coordinate Gradient (GCG) method has demonstrated the ability to automatically generate adversarial suffixes that jailbreak state-of-the-art LLMs. However, the optimization process involved in GCG is highly time-consuming, rendering the jailbreaking pipeline inefficient. In this paper, we investigate the process of GCG and identify an issue of Indirect Effect, the key bottleneck of the GCG optimization. To this end, we propose the Model Attack Gradient Index GCG (MAGIC), that addresses the Indirect Effect by exploiting the gradient information of the suffix tokens, thereby accelerating the procedure by having less computation and fewer iterations. Our experiments on AdvBench show that MAGIC achieves up to a 1.5x speedup, while maintaining Attack Success Rates (ASR) on par or even higher than other baselines. Our MAGIC achieved an ASR of 74% on the Llama-2 and an ASR of 54% when conducting transfer attacks on GPT-3.5. Code is available at https://github.com/jiah-li/magic.

Paper Structure

This paper contains 29 sections, 6 equations, 2 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. The optimization objective of the adversarial suffix
  4. Greedy Coordinate Gradient-based search
  5. Transfer attack with multi-prompt and multi-model
  6. Methodology
  7. Gradient-based Index Selection
  8. Adaptive Multi-Coordinate Update
  9. Generalization to transferability
  10. Experiments
  11. Experimental settings
  12. Dataset
  13. Large language models
  14. Evaluation
  15. Other baseline methods and hyperparameters
  16. ...and 14 more sections

Figures (2)

  • Figure 1: We investigate the Indirect Effect between the gradient values of current suffixes and the updated token indexes, which demonstrates that replacing tokens with negative gradient values fails to effectively reduce adversarial loss. We carry out this study in 1000 iterations of the naive GCG algorithm.
  • Figure 2: An illustration of our approach MAGIC. The GCG concatenates harmful instruction and adversarial suffix inducing Target LLM to produce harmful content. The MAGIC improves the optimization process of the adversarial suffix. The Gradient-based Index Selection investigates the One-Hot vectors corresponding to suffixes and only selects index tokens with positive gradient values. Adaptive Multi-Coordinate Update selects multiple tokens from the previously determined index range for updating, achieving jailbreaking of LLMs.