Guiding not Forcing: Enhancing the Transferability of Jailbreaking Attacks on LLMs via Removing Superfluous Constraints

TL;DR

The paper addresses the limited transferability of gradient-based jailbreaking attacks on LLMs and proposes a conceptual framework that distinguishes the full feasible adversarial region from a transferable shared region. It identifies two superfluous constraints—Response Pattern and Token Tail constraints—that narrow the transferable space and hinder optimization. The authors introduce Guided Jailbreaking Optimization, combining Target Output Guidance with Relaxed Loss Computation to remove these constraints, which yields substantial gains in transfer Attack Success Rate (T-ASR) across diverse target models and improves source model performance (S-ASR). This approach enhances controllability of jailbreak outputs and provides a basis for developing stronger defenses, with practical impact on understanding vulnerabilities and guiding robust safety mechanisms for LLMs.

Abstract

Jailbreaking attacks can effectively induce unsafe behaviors in Large Language Models (LLMs); however, the transferability of these attacks across different models remains limited. This study aims to understand and enhance the transferability of gradient-based jailbreaking methods, which are among the standard approaches for attacking white-box models. Through a detailed analysis of the optimization process, we introduce a novel conceptual framework to elucidate transferability and identify superfluous constraints-specifically, the response pattern constraint and the token tail constraint-as significant barriers to improved transferability. Removing these unnecessary constraints substantially enhances the transferability and controllability of gradient-based attacks. Evaluated on Llama-3-8B-Instruct as the source model, our method increases the overall Transfer Attack Success Rate (T-ASR) across a set of target models with varying safety levels from 18.4% to 50.3%, while also improving the stability and controllability of jailbreak behaviors on both source and target models.

Figures (6)

• Figure 1: A conceptual framework for understanding transferability. All adversarial prompts capable of eliciting harmful responses constitute the entire feasible region for jailbreaking attacks. However, the search space of gradient-based optimization represents only a specific subset of this region. Furthermore, superfluous constraints in the original objective further narrow this subset from a shared region across models to a model-specific area.
• Figure 2: An illustration of superfluous constraints in gradient-based optimization objectives and their elimination. Left: The response pattern constraint arises from discrepancies between the target output and the actual jailbroken output, while the token tail constraint results from loss calculations applied to all tokens. Right: Guiding the model to begin with the target output and applying constraints only to necessary tokens effectively eliminates these superfluous constraints, thereby aligning the real jailbroken output with the target output. Tokens are highlighted as follows: meeting the requirement, failing to meet the requirement, and having no requirement.
• Figure 3: Cross-Entropy Loss on the target output during the optimization process on Llama-3-8B-Instruct. For Normal Loss, Cross-Entropy Loss is calculated on the actual model output for benign inputs, focusing on the first 10 tokens. This is comparable to the expected real jailbroken loss.
• Figure 4: The comparison conducted on Llama-3-8B-Instruct between optimizing only the first two tokens of the target output and optimizing all tokens of the target output. The analysis used the same malicious input combined with the searched adversarial prompt. The Softmax probability was then calculated over the tokens of the target output, which were fully present within the input.
• Figure 5: ASR results for adversarial prompts with different level of the token tail constraint, optimized on Llama-3-8B-Instruct. The plot displays the transfer ASR (T-ASR) for Llama-2-7B-Chat and Qwen2-7B-Instruct, and the source ASR (S-ASR) forLlama-3-8B-Instruct, along with the corresponding standard deviation.