Table of Contents
Fetching ...

Graph of Attacks: Improved Black-Box and Interpretable Jailbreaks for LLMs

Mohammad Akbar-Tajari, Mohammad Taher Pilehvar, Mohammad Mahmoody

TL;DR

GoAT introduces Graph of Attacks, a black-box, graph-based framework that extends Graph of Thoughts to generate context-aware adversarial prompts for jailbreaking LLMs. By maintaining a globally connected reasoning graph and integrating multiple paths through a minimum-spanning-tree strategy, GoAT achieves higher jailbreak success with far fewer queries than prior methods, even against robust closed-source models. The approach uses a modular attacker team (Prompt Generator, Filter, Evaluator, Adversary) and leverages GPT-4 for evaluation and filtering, with human judgments used for low-confidence cases. Experimental results on AdvBench show GoAT achieving up to 98% success on Vicuna-7B and strong performance on GPT-4 and Claude-3, while requiring dramatically fewer queries than baselines, illustrating both the effectiveness and efficiency of graph-based adversarial prompt synthesis. The work highlights the importance of cross-path information sharing for vulnerability discovery and points to future directions in defense strengthening and broader, responsible evaluation.

Abstract

The challenge of ensuring Large Language Models (LLMs) align with societal standards is of increasing interest, as these models are still prone to adversarial jailbreaks that bypass their safety mechanisms. Identifying these vulnerabilities is crucial for enhancing the robustness of LLMs against such exploits. We propose Graph of ATtacks (GoAT), a method for generating adversarial prompts to test the robustness of LLM alignment using the Graph of Thoughts framework [Besta et al., 2024]. GoAT excels at generating highly effective jailbreak prompts with fewer queries to the victim model than state-of-the-art attacks, achieving up to five times better jailbreak success rate against robust models like Llama. Notably, GoAT creates high-quality, human-readable prompts without requiring access to the targeted model's parameters, making it a black-box attack. Unlike approaches constrained by tree-based reasoning, GoAT's reasoning is based on a more intricate graph structure. By making simultaneous attack paths aware of each other's progress, this dynamic framework allows a deeper integration and refinement of reasoning paths, significantly enhancing the collaborative exploration of adversarial vulnerabilities in LLMs. At a technical level, GoAT starts with a graph structure and iteratively refines it by combining and improving thoughts, enabling synergy between different thought paths. The code for our implementation can be found at: https://github.com/GoAT-pydev/Graph_of_Attacks.

Graph of Attacks: Improved Black-Box and Interpretable Jailbreaks for LLMs

TL;DR

GoAT introduces Graph of Attacks, a black-box, graph-based framework that extends Graph of Thoughts to generate context-aware adversarial prompts for jailbreaking LLMs. By maintaining a globally connected reasoning graph and integrating multiple paths through a minimum-spanning-tree strategy, GoAT achieves higher jailbreak success with far fewer queries than prior methods, even against robust closed-source models. The approach uses a modular attacker team (Prompt Generator, Filter, Evaluator, Adversary) and leverages GPT-4 for evaluation and filtering, with human judgments used for low-confidence cases. Experimental results on AdvBench show GoAT achieving up to 98% success on Vicuna-7B and strong performance on GPT-4 and Claude-3, while requiring dramatically fewer queries than baselines, illustrating both the effectiveness and efficiency of graph-based adversarial prompt synthesis. The work highlights the importance of cross-path information sharing for vulnerability discovery and points to future directions in defense strengthening and broader, responsible evaluation.

Abstract

The challenge of ensuring Large Language Models (LLMs) align with societal standards is of increasing interest, as these models are still prone to adversarial jailbreaks that bypass their safety mechanisms. Identifying these vulnerabilities is crucial for enhancing the robustness of LLMs against such exploits. We propose Graph of ATtacks (GoAT), a method for generating adversarial prompts to test the robustness of LLM alignment using the Graph of Thoughts framework [Besta et al., 2024]. GoAT excels at generating highly effective jailbreak prompts with fewer queries to the victim model than state-of-the-art attacks, achieving up to five times better jailbreak success rate against robust models like Llama. Notably, GoAT creates high-quality, human-readable prompts without requiring access to the targeted model's parameters, making it a black-box attack. Unlike approaches constrained by tree-based reasoning, GoAT's reasoning is based on a more intricate graph structure. By making simultaneous attack paths aware of each other's progress, this dynamic framework allows a deeper integration and refinement of reasoning paths, significantly enhancing the collaborative exploration of adversarial vulnerabilities in LLMs. At a technical level, GoAT starts with a graph structure and iteratively refines it by combining and improving thoughts, enabling synergy between different thought paths. The code for our implementation can be found at: https://github.com/GoAT-pydev/Graph_of_Attacks.
Paper Structure (34 sections, 3 equations, 1 figure, 6 tables, 1 algorithm)

This paper contains 34 sections, 3 equations, 1 figure, 6 tables, 1 algorithm.

Figures (1)

  • Figure 1: Overview of our black-box attack method. The right side presents the overall structure of GoAT, consisting of the $\mathsf{Adversary}$ component, which oversees the conversational history to ensure structured reasoning. The left side depicts the expansion of reasoning paths and the construction of new nodes. Each iteration follows a four-step process: (I) $\mathsf{Prompt\ Generator}$ produces new candidate prompts, (II) $\mathsf{Filter}$ evaluates each candidate and provides a relevancy score, (III) $\mathsf{Evaluator}$ assesses $\mathsf{Target}$s' responses, and (IV) $\mathsf{Adversary}$ determines which information is retained for further refinement. The retained information leads to the creation of new nodes in the reasoning graphs, as shown in the second row, with their corresponding labels recorded in vis_conv_info (visible conversational information). Partial conversation logs are shown here, and full details are provided in Table \ref{['tab:aggEff-goat']}.