AdaPPA：针对 LLM 的自适应位置预填充越狱攻击方法

arXiv - CS - Cryptography and Security Pub Date : 2024-09-11 DOI:arxiv-2409.07503

Lijia Lv, Weigang Zhang, Xuehai Tang, Jie Wen, Feng Liu, Jizhong Han, Songlin Hu

{"title":"AdaPPA：针对 LLM 的自适应位置预填充越狱攻击方法","authors":"Lijia Lv, Weigang Zhang, Xuehai Tang, Jie Wen, Feng Liu, Jizhong Han, Songlin Hu","doi":"arxiv-2409.07503","DOIUrl":null,"url":null,"abstract":"Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods\nthat extract malicious content from the model by carefully crafting prompts or\nsuffixes, which has garnered significant attention from the research community.\nHowever, traditional attack methods, which primarily focus on the semantic\nlevel, are easily detected by the model. These methods overlook the difference\nin the model's alignment protection capabilities at different output stages. To\naddress this issue, we propose an adaptive position pre-fill jailbreak attack\napproach for executing jailbreak attacks on LLMs. Our method leverages the\nmodel's instruction-following capabilities to first output pre-filled safe\ncontent, then exploits its narrative-shifting abilities to generate harmful\ncontent. Extensive black-box experiments demonstrate our method can improve the\nattack success rate by 47% on the widely recognized secure model (Llama2)\ncompared to existing approaches. Our code can be found at:\nhttps://github.com/Yummy416/AdaPPA.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"15 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs\",\"authors\":\"Lijia Lv, Weigang Zhang, Xuehai Tang, Jie Wen, Feng Liu, Jizhong Han, Songlin Hu\",\"doi\":\"arxiv-2409.07503\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods\\nthat extract malicious content from the model by carefully crafting prompts or\\nsuffixes, which has garnered significant attention from the research community.\\nHowever, traditional attack methods, which primarily focus on the semantic\\nlevel, are easily detected by the model. These methods overlook the difference\\nin the model's alignment protection capabilities at different output stages. To\\naddress this issue, we propose an adaptive position pre-fill jailbreak attack\\napproach for executing jailbreak attacks on LLMs. Our method leverages the\\nmodel's instruction-following capabilities to first output pre-filled safe\\ncontent, then exploits its narrative-shifting abilities to generate harmful\\ncontent. Extensive black-box experiments demonstrate our method can improve the\\nattack success rate by 47% on the widely recognized secure model (Llama2)\\ncompared to existing approaches. Our code can be found at:\\nhttps://github.com/Yummy416/AdaPPA.\",\"PeriodicalId\":501332,\"journal\":{\"name\":\"arXiv - CS - Cryptography and Security\",\"volume\":\"15 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Cryptography and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.07503\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.07503","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

大型语言模型（LLM）中的越狱漏洞是指通过精心设计提示语或后缀从模型中提取恶意内容的方法，这已引起了研究界的极大关注。然而，传统的攻击方法主要集中在语义层，很容易被模型检测到。这些方法忽略了模型在不同输出阶段的对齐保护能力差异。为了解决这个问题，我们提出了一种自适应位置预填充越狱攻击方法，用于对 LLM 执行越狱攻击。我们的方法利用模型的指令跟随能力，首先输出预填充的安全内容，然后利用其叙事转换能力生成有害内容。广泛的黑盒实验证明，与现有方法相比，我们的方法可以将公认的安全模型（Llama2）的攻击成功率提高 47%。我们的代码见：https://github.com/Yummy416/AdaPPA。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs

Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

arXiv - CS - Cryptography and Security

自引率

0.00%

发文量