Table of Contents
Fetching ...

LARGO: Latent Adversarial Reflection through Gradient Optimization for Jailbreaking LLMs

Ran Li, Hao Wang, Chengzhi Mao

TL;DR

The paper tackles vulnerabilities in aligned LLMs where discrete, token-level prompt design fails to robustly prevent jailbreak attempts. It introduces LARGO, a latent-space gradient-based attack that first optimizes a continuous embedding $z$ in the model's latent space and then uses the model itself to decode this embedding into fluent natural-language suffixes via self-reflective decoding, followed by back-projection for iterative refinement. Empirically, LARGO achieves higher attack success rates than state-of-the-art baselines such as GCG and AutoDAN on AdvBench and JailbreakBench across multiple models (e.g., Llama-2 variants and Phi-3) and demonstrates transferability and a universal-jailbreak capability with lower suffix perplexity. These results reveal exploitable latent vulnerabilities in current alignment strategies and motivate stronger defenses against gradient-based latent attacks.

Abstract

Efficient red-teaming method to uncover vulnerabilities in Large Language Models (LLMs) is crucial. While recent attacks often use LLMs as optimizers, the discrete language space make gradient-based methods struggle. We introduce LARGO (Latent Adversarial Reflection through Gradient Optimization), a novel latent self-reflection attack that reasserts the power of gradient-based optimization for generating fluent jailbreaking prompts. By operating within the LLM's continuous latent space, LARGO first optimizes an adversarial latent vector and then recursively call the same LLM to decode the latent into natural language. This methodology yields a fast, effective, and transferable attack that produces fluent and stealthy prompts. On standard benchmarks like AdvBench and JailbreakBench, LARGO surpasses leading jailbreaking techniques, including AutoDAN, by 44 points in attack success rate. Our findings demonstrate a potent alternative to agentic LLM prompting, highlighting the efficacy of interpreting and attacking LLM internals through gradient optimization.

LARGO: Latent Adversarial Reflection through Gradient Optimization for Jailbreaking LLMs

TL;DR

The paper tackles vulnerabilities in aligned LLMs where discrete, token-level prompt design fails to robustly prevent jailbreak attempts. It introduces LARGO, a latent-space gradient-based attack that first optimizes a continuous embedding in the model's latent space and then uses the model itself to decode this embedding into fluent natural-language suffixes via self-reflective decoding, followed by back-projection for iterative refinement. Empirically, LARGO achieves higher attack success rates than state-of-the-art baselines such as GCG and AutoDAN on AdvBench and JailbreakBench across multiple models (e.g., Llama-2 variants and Phi-3) and demonstrates transferability and a universal-jailbreak capability with lower suffix perplexity. These results reveal exploitable latent vulnerabilities in current alignment strategies and motivate stronger defenses against gradient-based latent attacks.

Abstract

Efficient red-teaming method to uncover vulnerabilities in Large Language Models (LLMs) is crucial. While recent attacks often use LLMs as optimizers, the discrete language space make gradient-based methods struggle. We introduce LARGO (Latent Adversarial Reflection through Gradient Optimization), a novel latent self-reflection attack that reasserts the power of gradient-based optimization for generating fluent jailbreaking prompts. By operating within the LLM's continuous latent space, LARGO first optimizes an adversarial latent vector and then recursively call the same LLM to decode the latent into natural language. This methodology yields a fast, effective, and transferable attack that produces fluent and stealthy prompts. On standard benchmarks like AdvBench and JailbreakBench, LARGO surpasses leading jailbreaking techniques, including AutoDAN, by 44 points in attack success rate. Our findings demonstrate a potent alternative to agentic LLM prompting, highlighting the efficacy of interpreting and attacking LLM internals through gradient optimization.
Paper Structure (22 sections, 4 figures, 6 tables, 2 algorithms)

This paper contains 22 sections, 4 figures, 6 tables, 2 algorithms.

Figures (4)

  • Figure 1: Examples of adversarial suffixes generated by LARGO under single-prompt and multi-prompt settings. Either optimized against a single prompt or multiple prompts, LARGO generates extremely benign-looking suffixes that lead to jailbreak. Below we show a suffix that successfully jailbreaks the Llama-2-7b-chat-hf model when appended to individual harmful prompts.
  • Figure 2: Optimization trace of a single adversarial suffix. As shown by the loss graph, our algorithm first finds a local optima at iteration 2, then jumps out of it at iteration 3, and gradually optimizes the same suffix sentence to arrive at the global optima at iteration 5, which successfully jailbreaks the Llama 2-7B model. The final suffix is benign looking and human readable, yet the model generates harmful information that it would otherwise refuse.
  • Figure 3: Overview of our three-staged algorithm. We first optimize a continuous embedding in the latent space that triggers jailbreak (left figure, red blocks), then leverage the LLM to interpret the embedding into natural language (right figure). Finally, we project it back into the embedding space for iterative refinement until the model outputs an affirmative response (curly arrow).
  • Figure 4: Examples of successful jailbreaks generated by LARGO. Exact suffixes truncated.