Graph of Attacks: Improved Black-Box and Interpretable Jailbreaks for LLMs
Mohammad Akbar-Tajari, Mohammad Taher Pilehvar, Mohammad Mahmoody
TL;DR
GoAT introduces Graph of Attacks, a black-box, graph-based framework that extends Graph of Thoughts to generate context-aware adversarial prompts for jailbreaking LLMs. By maintaining a globally connected reasoning graph and integrating multiple paths through a minimum-spanning-tree strategy, GoAT achieves higher jailbreak success with far fewer queries than prior methods, even against robust closed-source models. The approach uses a modular attacker team (Prompt Generator, Filter, Evaluator, Adversary) and leverages GPT-4 for evaluation and filtering, with human judgments used for low-confidence cases. Experimental results on AdvBench show GoAT achieving up to 98% success on Vicuna-7B and strong performance on GPT-4 and Claude-3, while requiring dramatically fewer queries than baselines, illustrating both the effectiveness and efficiency of graph-based adversarial prompt synthesis. The work highlights the importance of cross-path information sharing for vulnerability discovery and points to future directions in defense strengthening and broader, responsible evaluation.
Abstract
The challenge of ensuring Large Language Models (LLMs) align with societal standards is of increasing interest, as these models are still prone to adversarial jailbreaks that bypass their safety mechanisms. Identifying these vulnerabilities is crucial for enhancing the robustness of LLMs against such exploits. We propose Graph of ATtacks (GoAT), a method for generating adversarial prompts to test the robustness of LLM alignment using the Graph of Thoughts framework [Besta et al., 2024]. GoAT excels at generating highly effective jailbreak prompts with fewer queries to the victim model than state-of-the-art attacks, achieving up to five times better jailbreak success rate against robust models like Llama. Notably, GoAT creates high-quality, human-readable prompts without requiring access to the targeted model's parameters, making it a black-box attack. Unlike approaches constrained by tree-based reasoning, GoAT's reasoning is based on a more intricate graph structure. By making simultaneous attack paths aware of each other's progress, this dynamic framework allows a deeper integration and refinement of reasoning paths, significantly enhancing the collaborative exploration of adversarial vulnerabilities in LLMs. At a technical level, GoAT starts with a graph structure and iteratively refines it by combining and improving thoughts, enabling synergy between different thought paths. The code for our implementation can be found at: https://github.com/GoAT-pydev/Graph_of_Attacks.
