Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

One Model Transfer to All: On Robust Jailbreak Prompts Generation against LLMs

Linbao Li, Yannan Liu, Daojing He, Yu Li

TL;DR

ArrAttack tackles the challenge of jailbreak robustness against defended LLMs by pairing a universal robustness judgment mechanism with a rewriting-based prompt generator. It automatically constructs a large, defense-aware dataset of robust jailbreak prompts and trains a generation model to produce effective prompts for various target LLMs. The robustness-judgment component generalizes across defenses and models, enabling rapid adaptation. Empirical results show ArrAttack superior attack success rates and transferability across multiple models and defenses, highlighting the need for defense-aware evaluation in safety alignment research.

Abstract

Safety alignment in large language models (LLMs) is increasingly compromised by jailbreak attacks, which can manipulate these models to generate harmful or unintended content. Investigating these attacks is crucial for uncovering model vulnerabilities. However, many existing jailbreak strategies fail to keep pace with the rapid development of defense mechanisms, such as defensive suffixes, rendering them ineffective against defended models. To tackle this issue, we introduce a novel attack method called ArrAttack, specifically designed to target defended LLMs. ArrAttack automatically generates robust jailbreak prompts capable of bypassing various defense measures. This capability is supported by a universal robustness judgment model that, once trained, can perform robustness evaluation for any target model with a wide variety of defenses. By leveraging this model, we can rapidly develop a robust jailbreak prompt generator that efficiently converts malicious input prompts into effective attacks. Extensive evaluations reveal that ArrAttack significantly outperforms existing attack strategies, demonstrating strong transferability across both white-box and black-box models, including GPT-4 and Claude-3. Our work bridges the gap between jailbreak attacks and defenses, providing a fresh perspective on generating robust jailbreak prompts. We make the codebase available at https://github.com/LLBao/ArrAttack.

One Model Transfer to All: On Robust Jailbreak Prompts Generation against LLMs

TL;DR

ArrAttack tackles the challenge of jailbreak robustness against defended LLMs by pairing a universal robustness judgment mechanism with a rewriting-based prompt generator. It automatically constructs a large, defense-aware dataset of robust jailbreak prompts and trains a generation model to produce effective prompts for various target LLMs. The robustness-judgment component generalizes across defenses and models, enabling rapid adaptation. Empirical results show ArrAttack superior attack success rates and transferability across multiple models and defenses, highlighting the need for defense-aware evaluation in safety alignment research.

Abstract

Safety alignment in large language models (LLMs) is increasingly compromised by jailbreak attacks, which can manipulate these models to generate harmful or unintended content. Investigating these attacks is crucial for uncovering model vulnerabilities. However, many existing jailbreak strategies fail to keep pace with the rapid development of defense mechanisms, such as defensive suffixes, rendering them ineffective against defended models. To tackle this issue, we introduce a novel attack method called ArrAttack, specifically designed to target defended LLMs. ArrAttack automatically generates robust jailbreak prompts capable of bypassing various defense measures. This capability is supported by a universal robustness judgment model that, once trained, can perform robustness evaluation for any target model with a wide variety of defenses. By leveraging this model, we can rapidly develop a robust jailbreak prompt generator that efficiently converts malicious input prompts into effective attacks. Extensive evaluations reveal that ArrAttack significantly outperforms existing attack strategies, demonstrating strong transferability across both white-box and black-box models, including GPT-4 and Claude-3. Our work bridges the gap between jailbreak attacks and defenses, providing a fresh perspective on generating robust jailbreak prompts. We make the codebase available at https://github.com/LLBao/ArrAttack.

Paper Structure

This paper contains 20 sections, 1 equation, 8 figures, 8 tables.

Table of Contents

  1. Introduciton
  2. Related work
  3. Method
  4. Overview
  5. Basic rewriting-based jailbreak prompts generation
  6. The robustness judgment model
  7. Automatic and robust jailbreak prompts generation
  8. Experiments
  9. Experimental setups
  10. Attack effectiveness compared with baselines
  11. Transferability of ArrAttack
  12. Ablation studies
  13. Influence of hyperparameters
  14. Conclusion
  15. Implementation details
  16. ...and 5 more sections

Figures (8)

  • Figure 1: The overview of our method ArrAttack. Top: The attacker attempts to jailbreak the LLM equipped with defense mechanisms but fails. Middle: The construction of the robustness judgment model and the subsequent robust jailbreak prompts generation model. Bottom: With the support of the robust jailbreak prompts generation model, the attacker can successfully circumvent the defenses of the victim LLM.
  • Figure 2: A sample of the instruction dataset for the robustness judgment model
  • Figure 3: A sample of the instruction dataset for the robust jailbreak prompts generation model
  • Figure 4: Transferability of the robust jailbreak prompts generation model to other LLMs.
  • Figure 5: Influence of the hyperparameter "number of attack attempts".
  • ...and 3 more figures