Table of Contents
Fetching ...

JULI: Jailbreak Large Language Models by Self-Introspection

Jesson Wang, Zhanhao Hu, David Wagner

TL;DR

JULI is proposed, which jailbreaks LLMs by manipulating the token log probabilities, using a tiny plug-in block, BiasNet, and demonstrates superior effectiveness, outperforming existing state-of-the-art (SOTA) approaches across multiple metrics.

Abstract

Large Language Models (LLMs) are trained with safety alignment to prevent generating malicious content. Although some attacks have highlighted vulnerabilities in these safety-aligned LLMs, they typically have limitations, such as necessitating access to the model weights or the generation process. Since proprietary models through API-calling do not grant users such permissions, these attacks find it challenging to compromise them. In this paper, we propose Jailbreaking Using LLM Introspection (JULI), which jailbreaks LLMs by manipulating the token log probabilities, using a tiny plug-in block, BiasNet. JULI relies solely on the knowledge of the target LLM's predicted token log probabilities. It can effectively jailbreak API-calling LLMs under a black-box setting and knowing only top-$5$ token log probabilities. Our approach demonstrates superior effectiveness, outperforming existing state-of-the-art (SOTA) approaches across multiple metrics.

JULI: Jailbreak Large Language Models by Self-Introspection

TL;DR

JULI is proposed, which jailbreaks LLMs by manipulating the token log probabilities, using a tiny plug-in block, BiasNet, and demonstrates superior effectiveness, outperforming existing state-of-the-art (SOTA) approaches across multiple metrics.

Abstract

Large Language Models (LLMs) are trained with safety alignment to prevent generating malicious content. Although some attacks have highlighted vulnerabilities in these safety-aligned LLMs, they typically have limitations, such as necessitating access to the model weights or the generation process. Since proprietary models through API-calling do not grant users such permissions, these attacks find it challenging to compromise them. In this paper, we propose Jailbreaking Using LLM Introspection (JULI), which jailbreaks LLMs by manipulating the token log probabilities, using a tiny plug-in block, BiasNet. JULI relies solely on the knowledge of the target LLM's predicted token log probabilities. It can effectively jailbreak API-calling LLMs under a black-box setting and knowing only top- token log probabilities. Our approach demonstrates superior effectiveness, outperforming existing state-of-the-art (SOTA) approaches across multiple metrics.
Paper Structure (41 sections, 10 equations, 3 figures, 16 tables)

This paper contains 41 sections, 10 equations, 3 figures, 16 tables.

Figures (3)

  • Figure 1: Overview of JULI
  • Figure 2: The frequency of ground truth tokens in harmful responses among the top-k tokens predicted by different LLMs. These frequencies are calculated across $100$ harmful prompt-response pairs in LLM-LAT. For each LLM, the bars from left to right indicate the top 1, 5, 10, 50, and 1000 token hit rates, respectively. Since Gemini only allows to return top-$5$ tokens, we only show the bar for top 1 and 5.
  • Figure 3: Visualization of the difference before and after applying BiasNet. (a) Log probabilities of the first response token; (b) KL Divergence Distribution; (c) Token-level KL Divergence; (d) Token-level Symmetric Difference.