A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness

TL;DR

This work exposes significant vulnerabilities of safety measures against learning-style elicitation, highlighting a critical challenge of fulfilling both helpfulness and safety alignments.

Abstract

This study reveals a critical safety blind spot in modern LLMs: learning-style queries, which closely resemble ordinary educational questions, can reliably elicit harmful responses. The learning-style queries are constructed by a novel reframing paradigm: HILL (Hiding Intention by Learning from LLMs). The deterministic, model-agnostic reframing framework is composed of 4 conceptual components: 1) key concept, 2) exploratory transformation, 3) detail-oriented inquiry, and optionally 4) hypotheticality. Further, new metrics are introduced to thoroughly evaluate the efficiency and harmfulness of jailbreak methods. Experiments on the AdvBench dataset across a wide range of models demonstrate HILL's strong generalizability. It achieves top attack success rates on the majority of models and across malicious categories while maintaining high efficiency with concise prompts. On the other hand, results of various defense methods show the robustness of HILL, with most defenses having mediocre effects or even increasing the attack success rates. In addition, the assessment of defenses on the constructed safe prompts reveals inherent limitations of LLMs' safety mechanisms and flaws in the defense methods. This work exposes significant vulnerabilities of safety measures against learning-style elicitation, highlighting a critical challenge of fulfilling both helpfulness and safety alignments.

Figures (11)

• Figure 1: The Attack Success Rate (ASR, %) of state-of-the-art jailbreak methods on 22 models. The Original represents the original harmful queries without being revised by jailbreak methods.
• Figure 2: Harmful query reframing framework of HILL. Examples of 4 reframed prompts and a successful attack.
• Figure 3: The number of successfully attacked models by different jailbreak methods (a total of 22 models). Zeros indicate either a failure within their released data or elimination through intention-check. HILL successfully compromises an average of 16.5 models per query, demonstrating strong generalizability across diverse categories (indices are detailed in Table \ref{['tab:data_category']}), particularly evident in high-risk domains: Bomb, Cheating, Financial, Fraud, Hacking, Piracy, Identity Theft, Stalking, Murder, Suicide, Poisoning, and Terrorism.
• Figure 4: The distribution of successful HILL attacks across models. Red blocks for success; white for failure.
• Figure 5: Comparisons of different hypotheticality indicators in prefix. The main results are presented by the red line. The standard deviation range is between [0, 2.5], with an average of 1.1.