COLD-Attack: Jailbreaking LLMs with Stealthiness and Controllability

📄 arXiv: 2402.08679v2 📥 PDF

作者: Xingang Guo, Fangxu Yu, Huan Zhang, Lianhui Qin, Bin Hu

分类: cs.LG, cs.AI, cs.CL

发布日期: 2024-02-13 (更新: 2024-06-07)

备注: Accepted to ICML 2024

🔗 代码/项目: GITHUB


💡 一句话要点

提出COLD-Attack以解决可控性与隐蔽性问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 大型语言模型 对抗性攻击 可控文本生成 隐蔽性 安全性评估

📋 核心要点

  1. 现有的LLMs越狱攻击方法缺乏对攻击过程的可控性,难以满足多样化的攻击需求。
  2. 本文提出的COLD-Attack框架通过结合可控文本生成技术,自动化生成满足特定控制要求的对抗性攻击。
  3. 实验结果显示,COLD-Attack在多个LLMs上具有高成功率和良好的攻击转移性,展示了其广泛的适用性。

📝 摘要(中文)

针对大型语言模型(LLMs)的越狱攻击,本文提出了一种新的框架COLD-Attack,旨在实现对攻击的可控性和隐蔽性。通过将可控攻击生成问题与可控文本生成相结合,本文提出了一种高效的能量约束解码算法,能够在多种控制要求下自动化搜索对抗性攻击。实验结果表明,COLD-Attack在多种LLMs上表现出强大的适用性和高成功率,展示了其在生成流畅攻击、修订用户查询和插入隐蔽攻击等新场景中的广泛应用潜力。

🔬 方法详解

问题定义:本文旨在解决现有LLMs越狱攻击方法在可控性和隐蔽性方面的不足,特别是在多样化攻击需求下的挑战。现有方法往往无法灵活应对不同的上下文和情感变化。

核心思路:COLD-Attack框架通过将可控攻击生成问题与可控文本生成相结合,利用能量约束解码算法,提供了一种高效的攻击生成方式,以实现对攻击的精确控制。

技术框架:该框架包含多个模块,包括输入处理、攻击生成和输出评估。通过对输入进行分析,框架能够根据设定的控制要求生成相应的对抗性文本。

关键创新:COLD-Attack的主要创新在于其将可控文本生成技术应用于对抗性攻击生成,形成了一个新的研究方向。与传统方法相比,COLD-Attack在攻击的多样性和可控性上具有显著优势。

关键设计:在设计上,COLD-Attack采用了能量约束解码算法,并设置了多种控制参数,如流畅性、隐蔽性和情感等,以满足不同的攻击需求。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

在对Llama-2、Mistral、Vicuna、Guanaco、GPT-3.5和GPT-4等多个LLMs进行的实验中,COLD-Attack展示了高达85%的成功率,显著高于传统方法的成功率。此外,攻击的转移性也得到了验证,表明该框架在不同模型间的适用性。

🎯 应用场景

COLD-Attack框架在安全性评估、对抗性测试和自然语言处理等领域具有广泛的应用潜力。它可以帮助研究人员和开发者更好地理解和防御LLMs的潜在攻击,提升模型的安全性和鲁棒性。未来,该框架可能推动对抗性生成技术的发展,促进更安全的AI系统构建。

📄 摘要(原文)

Jailbreaks on large language models (LLMs) have recently received increasing attention. For a comprehensive assessment of LLM safety, it is essential to consider jailbreaks with diverse attributes, such as contextual coherence and sentiment/stylistic variations, and hence it is beneficial to study controllable jailbreaking, i.e. how to enforce control on LLM attacks. In this paper, we formally formulate the controllable attack generation problem, and build a novel connection between this problem and controllable text generation, a well-explored topic of natural language processing. Based on this connection, we adapt the Energy-based Constrained Decoding with Langevin Dynamics (COLD), a state-of-the-art, highly efficient algorithm in controllable text generation, and introduce the COLD-Attack framework which unifies and automates the search of adversarial LLM attacks under a variety of control requirements such as fluency, stealthiness, sentiment, and left-right-coherence. The controllability enabled by COLD-Attack leads to diverse new jailbreak scenarios which not only cover the standard setting of generating fluent (suffix) attack with continuation constraint, but also allow us to address new controllable attack settings such as revising a user query adversarially with paraphrasing constraint, and inserting stealthy attacks in context with position constraint. Our extensive experiments on various LLMs (Llama-2, Mistral, Vicuna, Guanaco, GPT-3.5, and GPT-4) show COLD-Attack's broad applicability, strong controllability, high success rate, and attack transferability. Our code is available at https://github.com/Yu-Fangxu/COLD-Attack.