Machine Learning for Detection and Analysis of Novel LLM Jailbreaks
John Hawkins, Aditya Pramar, Rodney Beard, Rohitash Chandra
TL;DR
The paper tackles the problem of detecting jailbreak prompts that circumvent LLM safety guardrails by comparing TFIDF-based classifiers with end-to-end BERT classifiers for both jailbreak detection and classification of jailbreak types. It demonstrates that fine-tuning a BERT model end-to-end yields the strongest performance on known jailbreaks, with very high AUC and accuracy and low variability. The authors also assess robustness to novel jailbreak strategies through hold-out analyses, finding that detection performance can degrade for semantically distinct prompts and is influenced by training data size. A keyword-based analysis uncovers reflexive language about model alignment and policy as signals of jailbreak intent, offering guidance for feature engineering and future mitigation efforts.
Abstract
Large Language Models (LLMs) suffer from a range of vulnerabilities that allow malicious users to solicit undesirable responses through manipulation of the input text. These so-called jailbreak prompts are designed to trick the LLM into circumventing the safety guardrails put in place to keep responses acceptable to the developer's policies. In this study, we analyse the ability of different machine learning models to distinguish jailbreak prompts from genuine uses, including looking at our ability to identify jailbreaks that use previously unseen strategies. Our results indicate that using current datasets the best performance is achieved by fine tuning a Bidirectional Encoder Representations from Transformers (BERT) model end-to-end for identifying jailbreaks. We visualise the keywords that distinguish jailbreak from genuine prompts and conclude that explicit reflexivity in prompt structure could be a signal of jailbreak intention.