Jailbreaking LLMs Without Gradients or Priors: Effective and Transferable Attacks
Zhakshylyk Nurlanov, Frank R. Schmidt, Florian Bernard
TL;DR
This paper tackles the problem of robustly evaluating LLM safety against jailbreaks without relying on gradients or handcrafted priors. It introduces RAILS, a gradient-free, tokenizer-agnostic framework that uses an auto-regressive loss and a history-based candidate selection to bridge the gap between proxy objectives and true harmful outcomes. Through cross-tokenizer ensemble attacks, RAILS achieves high attack success rates on open-source models and strong transfer to closed-source systems, demonstrating that shared vulnerabilities exist across disjoint vocabularies. The results highlight the need for tokenizer-agnostic defenses and provide a practical tool for automated red teaming, with significant implications for improving safety safeguards in real-world LLM deployments.
Abstract
As Large Language Models (LLMs) are increasingly deployed in safety-critical domains, rigorously evaluating their robustness against adversarial jailbreaks is essential. However, current safety evaluations often overestimate robustness because existing automated attacks are limited by restrictive assumptions. They typically rely on handcrafted priors or require white-box access for gradient propagation. We challenge these constraints by demonstrating that token-level iterative optimization can succeed without gradients or priors. We introduce RAILS (RAndom Iterative Local Search), a framework that operates solely on model logits. RAILS matches the effectiveness of gradient-based methods through two key innovations: a novel auto-regressive loss that enforces exact prefix matching, and a history-based selection strategy that bridges the gap between the proxy optimization objective and the true attack success rate. Crucially, by eliminating gradient dependency, RAILS enables cross-tokenizer ensemble attacks. This allows for the discovery of shared adversarial patterns that generalize across disjoint vocabularies, significantly enhancing transferability to closed-source systems. Empirically, RAILS achieves near 100% success rates on multiple open-source models and high black-box attack transferability to closed-source systems like GPT and Gemini.
