Saved in:
Bibliographic Details
Main Authors: Zhao, Xuandong, Yang, Xianjun, Pang, Tianyu, Du, Chao, Li, Lei, Wang, Yu-Xiang, Wang, William Yang
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2401.17256
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912498520686592
author Zhao, Xuandong
Yang, Xianjun
Pang, Tianyu
Du, Chao
Li, Lei
Wang, Yu-Xiang
Wang, William Yang
author_facet Zhao, Xuandong
Yang, Xianjun
Pang, Tianyu
Du, Chao
Li, Lei
Wang, Yu-Xiang
Wang, William Yang
contents Large language models (LLMs) are vulnerable to jailbreak attacks - resulting in harmful, unethical, or biased text generations. However, existing jailbreaking methods are computationally costly. In this paper, we propose the weak-to-strong jailbreaking attack, an efficient inference time attack for aligned LLMs to produce harmful text. Our key intuition is based on the observation that jailbroken and aligned models only differ in their initial decoding distributions. The weak-to-strong attack's key technical insight is using two smaller models (a safe and an unsafe one) to adversarially modify a significantly larger safe model's decoding probabilities. We evaluate the weak-to-strong attack on 5 diverse open-source LLMs from 3 organizations. The results show our method can increase the misalignment rate to over 99% on two datasets with just one forward pass per example. Our study exposes an urgent safety issue that needs to be addressed when aligning LLMs. As an initial attempt, we propose a defense strategy to protect against such attacks, but creating more advanced defenses remains challenging. The code for replicating the method is available at https://github.com/XuandongZhao/weak-to-strong
format Preprint
id arxiv_https___arxiv_org_abs_2401_17256
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Weak-to-Strong Jailbreaking on Large Language Models
Zhao, Xuandong
Yang, Xianjun
Pang, Tianyu
Du, Chao
Li, Lei
Wang, Yu-Xiang
Wang, William Yang
Computation and Language
Large language models (LLMs) are vulnerable to jailbreak attacks - resulting in harmful, unethical, or biased text generations. However, existing jailbreaking methods are computationally costly. In this paper, we propose the weak-to-strong jailbreaking attack, an efficient inference time attack for aligned LLMs to produce harmful text. Our key intuition is based on the observation that jailbroken and aligned models only differ in their initial decoding distributions. The weak-to-strong attack's key technical insight is using two smaller models (a safe and an unsafe one) to adversarially modify a significantly larger safe model's decoding probabilities. We evaluate the weak-to-strong attack on 5 diverse open-source LLMs from 3 organizations. The results show our method can increase the misalignment rate to over 99% on two datasets with just one forward pass per example. Our study exposes an urgent safety issue that needs to be addressed when aligning LLMs. As an initial attempt, we propose a defense strategy to protect against such attacks, but creating more advanced defenses remains challenging. The code for replicating the method is available at https://github.com/XuandongZhao/weak-to-strong
title Weak-to-Strong Jailbreaking on Large Language Models
topic Computation and Language
url https://arxiv.org/abs/2401.17256