Imperceptible Jailbreaking against Large Language Models

TL;DR

The paper addresses jailbreaking of LLMs in the textual domain by introducing imperceptible modifications using Unicode variation selectors that do not alter on-screen appearance but change tokenization. It crafts adversarial suffixes via a chain-of-search that maximizes the $\ ext{log}$-likelihood of target-start tokens to steer models toward harmful outputs, and demonstrates high attack success rates across four aligned LLMs, with demonstrated generalization to prompt-injection tasks. The work provides strong empirical evidence that invisible characters can bypass safety alignment, supported by attention-shift and embedding-divergence analyses, and introduces a bootstrapped optimization framework that reuses successful components across instances. These findings reveal a novel vulnerability vector in LLM safety mechanisms and motivate developing defenses against invisible-token adversaries, such as perplexity-based filters and robust detection of hidden perturbations.

Abstract

Jailbreaking attacks on the vision modality typically rely on imperceptible adversarial perturbations, whereas attacks on the textual modality are generally assumed to require visible modifications (e.g., non-semantic suffixes). In this paper, we introduce imperceptible jailbreaks that exploit a class of Unicode characters called variation selectors. By appending invisible variation selectors to malicious questions, the jailbreak prompts appear visually identical to original malicious questions on screen, while their tokenization is "secretly" altered. We propose a chain-of-search pipeline to generate such adversarial suffixes to induce harmful responses. Our experiments show that our imperceptible jailbreaks achieve high attack success rates against four aligned LLMs and generalize to prompt injection attacks, all without producing any visible modifications in the written prompt. Our code is available at https://github.com/sail-sg/imperceptible-jailbreaks.

Figures (9)

• Figure 1: An illustrative comparison between an original malicious question and our imperceptible jailbreak prompt. Although both appear visually identical when rendered on screen, the jailbreak version includes invisible suffixes composed of variation selectors. These invisible characters can be encoded by LLM tokenizers as additional tokens, necessary to bypass safety alignment.
• Figure 2: Variation selectors are originally designed to alter the appearance of special characters, but they do not influence the appearance of standard characters, like normal alphabetic characters. Hence, we can use these invisible variation selectors to achieve imperceptible jailbreaks.
• Figure 3: A jailbreak prompt comparison for simple adaptive attacks, $\mathcal{I}$-GCG, and our imperceptible jailbreaks. Simple adaptive attacks involve a carefully crafted template and a visible non-semantic suffix added to malicious questions. $\mathcal{I}$-GCG appends a visible non-semantic suffix to malicious questions. In contrast, our imperceptible jailbreaks combine malicious questions with suffixes consisting of invisible variation selectors, resulting in a jailbreak prompt that appears identical to the malicious question when rendered on screen.
• Figure 4: Distribution of target-start tokens for successful jailbreaks against four aligned LLMs, including Vicuna-13B-v1.5, Llama-2-Chat-7B, Llama-3.1-Instruct-8B, and Mistral-7B-Instruct-v0.2. The results highlight that different models exhibit different preferences on target-start tokens of successful jailbreak response formats.
• Figure 5: Distribution of round numbers for successful jailbreaks against four aligned LLMs, including Vicuna-13B-v1.5, Llama-2-Chat-7B, Llama-3.1-Instruct-8B, and Mistral-7B-Instruct-v0.2. The results show the effectiveness of our chain of search in multiple rounds.