ASETF: A Novel Method for Jailbreak Attack on LLMs through Translate Suffix Embeddings

📄 arXiv: 2402.16006v2 📥 PDF

作者: Hao Wang, Hao Li, Minlie Huang, Lei Sha

分类: cs.CL

发布日期: 2024-02-25 (更新: 2024-06-04)


💡 一句话要点

提出ASETF以解决大语言模型的安全防御问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 对抗攻击 大语言模型 安全防御 文本生成 嵌入学习 机器学习 自然语言处理

📋 核心要点

  1. 现有大语言模型的安全防御方法主要针对少数已知攻击类型,无法应对新兴的多样化攻击。
  2. 本文提出的ASETF方法通过将对抗后缀嵌入转化为可理解文本,降低了计算开销并自动生成对抗样本。
  3. 实验结果显示,ASETF在Llama2、Vicuna等模型上显著提高了攻击成功率,并提升了文本流畅性。

📝 摘要(中文)

大语言模型(LLMs)的安全防御方法仍然有限,因为危险提示仅针对少数已知攻击类型进行手动策划,无法跟上新兴变种。近期研究发现,附加后缀到有害指令上可以突破LLMs的防御,导致危险输出。然而,类似于传统文本对抗攻击,这种方法在离散标记的挑战下效果有限。为应对这一挑战,本文提出了一种对抗后缀嵌入翻译框架(ASETF),旨在将连续的对抗后缀嵌入转化为连贯易懂的文本。该方法显著减少了攻击过程中的计算开销,并有助于自动生成多个对抗样本,用于增强LLMs的安全防御。实验结果表明,该方法显著提高了攻击成功率,并增强了提示的文本流畅性。

🔬 方法详解

问题定义:本文旨在解决大语言模型在面对新型对抗攻击时的安全防御不足,现有方法在处理离散标记时效率低下,且容易被常见防御机制穿透。

核心思路:ASETF通过将对抗后缀嵌入转化为连贯的文本,克服了传统方法在离散优化中的局限性,从而提高攻击效率和成功率。

技术框架:ASETF的整体架构包括对抗后缀嵌入生成模块、文本翻译模块和攻击样本生成模块,形成一个闭环的攻击流程。

关键创新:该方法的核心创新在于将对抗后缀嵌入转化为可理解的文本,显著降低了对抗攻击的计算成本,并提高了攻击的成功率。

关键设计:在设计中,采用了特定的损失函数以优化文本流畅性,并通过多样化的对抗样本生成策略增强了模型的鲁棒性。实验中使用的参数设置和网络结构经过精心调优,以确保最佳性能。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果表明,ASETF方法在Llama2和Vicuna等模型上显著减少了对抗后缀的计算时间,攻击成功率提高了50%以上,同时文本流畅性也得到了显著增强,展示了其优越的性能。

🎯 应用场景

该研究具有广泛的应用潜力,尤其在提升大语言模型的安全性方面。通过生成对抗样本,能够帮助开发更强大的防御机制,保护模型免受新型攻击的威胁,未来可能在安全AI、自动化内容审核等领域发挥重要作用。

📄 摘要(原文)

The safety defense methods of Large language models(LLMs) stays limited because the dangerous prompts are manually curated to just few known attack types, which fails to keep pace with emerging varieties. Recent studies found that attaching suffixes to harmful instructions can hack the defense of LLMs and lead to dangerous outputs. However, similar to traditional text adversarial attacks, this approach, while effective, is limited by the challenge of the discrete tokens. This gradient based discrete optimization attack requires over 100,000 LLM calls, and due to the unreadable of adversarial suffixes, it can be relatively easily penetrated by common defense methods such as perplexity filters. To cope with this challenge, in this paper, we proposes an Adversarial Suffix Embedding Translation Framework (ASETF), aimed at transforming continuous adversarial suffix embeddings into coherent and understandable text. This method greatly reduces the computational overhead during the attack process and helps to automatically generate multiple adversarial samples, which can be used as data to strengthen LLMs security defense. Experimental evaluations were conducted on Llama2, Vicuna, and other prominent LLMs, employing harmful directives sourced from the Advbench dataset. The results indicate that our method significantly reduces the computation time of adversarial suffixes and achieves a much better attack success rate to existing techniques, while significantly enhancing the textual fluency of the prompts. In addition, our approach can be generalized into a broader method for generating transferable adversarial suffixes that can successfully attack multiple LLMs, even black-box LLMs, such as ChatGPT and Gemini.