Table of Contents
Fetching ...

RECAP: A Resource-Efficient Method for Adversarial Prompting in Large Language Models

Rishit Chugh

TL;DR

This work tackles the high computational cost of adversarial prompting for LLM safety testing by introducing RECAP, a retrieval-augmented framework that uses a database of pre-trained adversarial prompts to test guardrails without retraining. By employing semantic similarity search (FAISS) over embeddings from a lightweight SentenceTransformer model, RECAP achieves competitive attack success rates with dramatically reduced inference time, and extends to black-box models where logits are unavailable. Empirical results on Llama 3 8B show a balance between attack efficacy and resource use, with 4-minute inference times versus hours for gradient-based methods. Expanding the retrieval database is expected to further boost performance, making scalable red-teaming accessible to resource-constrained organizations and enhancing robustness of aligned LLMs.

Abstract

The deployment of large language models (LLMs) has raised security concerns due to their susceptibility to producing harmful or policy-violating outputs when exposed to adversarial prompts. While alignment and guardrails mitigate common misuse, they remain vulnerable to automated jailbreaking methods such as GCG, PEZ, and GBDA, which generate adversarial suffixes via training and gradient-based search. Although effective, these methods particularly GCG are computationally expensive, limiting their practicality for organisations with constrained resources. This paper introduces a resource-efficient adversarial prompting approach that eliminates the need for retraining by matching new prompts to a database of pre-trained adversarial prompts. A dataset of 1,000 prompts was classified into seven harm-related categories, and GCG, PEZ, and GBDA were evaluated on a Llama 3 8B model to identify the most effective attack method per category. Results reveal a correlation between prompt type and algorithm effectiveness. By retrieving semantically similar successful adversarial prompts, the proposed method achieves competitive attack success rates with significantly reduced computational cost. This work provides a practical framework for scalable red-teaming and security evaluation of aligned LLMs, including in settings where model internals are inaccessible.

RECAP: A Resource-Efficient Method for Adversarial Prompting in Large Language Models

TL;DR

This work tackles the high computational cost of adversarial prompting for LLM safety testing by introducing RECAP, a retrieval-augmented framework that uses a database of pre-trained adversarial prompts to test guardrails without retraining. By employing semantic similarity search (FAISS) over embeddings from a lightweight SentenceTransformer model, RECAP achieves competitive attack success rates with dramatically reduced inference time, and extends to black-box models where logits are unavailable. Empirical results on Llama 3 8B show a balance between attack efficacy and resource use, with 4-minute inference times versus hours for gradient-based methods. Expanding the retrieval database is expected to further boost performance, making scalable red-teaming accessible to resource-constrained organizations and enhancing robustness of aligned LLMs.

Abstract

The deployment of large language models (LLMs) has raised security concerns due to their susceptibility to producing harmful or policy-violating outputs when exposed to adversarial prompts. While alignment and guardrails mitigate common misuse, they remain vulnerable to automated jailbreaking methods such as GCG, PEZ, and GBDA, which generate adversarial suffixes via training and gradient-based search. Although effective, these methods particularly GCG are computationally expensive, limiting their practicality for organisations with constrained resources. This paper introduces a resource-efficient adversarial prompting approach that eliminates the need for retraining by matching new prompts to a database of pre-trained adversarial prompts. A dataset of 1,000 prompts was classified into seven harm-related categories, and GCG, PEZ, and GBDA were evaluated on a Llama 3 8B model to identify the most effective attack method per category. Results reveal a correlation between prompt type and algorithm effectiveness. By retrieving semantically similar successful adversarial prompts, the proposed method achieves competitive attack success rates with significantly reduced computational cost. This work provides a practical framework for scalable red-teaming and security evaluation of aligned LLMs, including in settings where model internals are inaccessible.
Paper Structure (12 sections, 1 figure, 1 table)

This paper contains 12 sections, 1 figure, 1 table.

Figures (1)

  • Figure 1: The RECAP Inference Pipeline: Input prompts are encoded and matched against a pre-compiled database of successful adversarial prompts before being sent to the target LLM.