Saved in:
Bibliographic Details
Main Authors: Addepalli, Sravanti, Varun, Yerram, Suggala, Arun, Shanmugam, Karthikeyan, Jain, Prateek
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.03235
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908282386382848
author Addepalli, Sravanti
Varun, Yerram
Suggala, Arun
Shanmugam, Karthikeyan
Jain, Prateek
author_facet Addepalli, Sravanti
Varun, Yerram
Suggala, Arun
Shanmugam, Karthikeyan
Jain, Prateek
contents Large Language Models (LLMs) are known to be susceptible to crafted adversarial attacks or jailbreaks that lead to the generation of objectionable content despite being aligned to human preferences using safety fine-tuning methods. While the large dimensionality of input token space makes it inevitable to find adversarial prompts that can jailbreak these models, we aim to evaluate whether safety fine-tuned LLMs are safe against natural prompts which are semantically related to toxic seed prompts that elicit safe responses after alignment. We surprisingly find that popular aligned LLMs such as GPT-4 can be compromised using naive prompts that are NOT even crafted with an objective of jailbreaking the model. Furthermore, we empirically show that given a seed prompt that elicits a toxic response from an unaligned model, one can systematically generate several semantically related natural prompts that can jailbreak aligned LLMs. Towards this, we propose a method of Response Guided Question Augmentation (ReG-QA) to evaluate the generalization of safety aligned LLMs to natural prompts, that first generates several toxic answers given a seed question using an unaligned LLM (Q to A), and further leverages an LLM to generate questions that are likely to produce these answers (A to Q). We interestingly find that safety fine-tuned LLMs such as GPT-4o are vulnerable to producing natural jailbreak questions from unsafe content (without denial) and can thus be used for the latter (A to Q) step. We obtain attack success rates that are comparable to/ better than leading adversarial attack methods on the JailbreakBench leaderboard, while being significantly more stable against defenses such as Smooth-LLM and Synonym Substitution, which are effective against existing all attacks on the leaderboard.
format Preprint
id arxiv_https___arxiv_org_abs_2412_03235
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Does Safety Training of LLMs Generalize to Semantically Related Natural Prompts?
Addepalli, Sravanti
Varun, Yerram
Suggala, Arun
Shanmugam, Karthikeyan
Jain, Prateek
Computation and Language
Artificial Intelligence
Large Language Models (LLMs) are known to be susceptible to crafted adversarial attacks or jailbreaks that lead to the generation of objectionable content despite being aligned to human preferences using safety fine-tuning methods. While the large dimensionality of input token space makes it inevitable to find adversarial prompts that can jailbreak these models, we aim to evaluate whether safety fine-tuned LLMs are safe against natural prompts which are semantically related to toxic seed prompts that elicit safe responses after alignment. We surprisingly find that popular aligned LLMs such as GPT-4 can be compromised using naive prompts that are NOT even crafted with an objective of jailbreaking the model. Furthermore, we empirically show that given a seed prompt that elicits a toxic response from an unaligned model, one can systematically generate several semantically related natural prompts that can jailbreak aligned LLMs. Towards this, we propose a method of Response Guided Question Augmentation (ReG-QA) to evaluate the generalization of safety aligned LLMs to natural prompts, that first generates several toxic answers given a seed question using an unaligned LLM (Q to A), and further leverages an LLM to generate questions that are likely to produce these answers (A to Q). We interestingly find that safety fine-tuned LLMs such as GPT-4o are vulnerable to producing natural jailbreak questions from unsafe content (without denial) and can thus be used for the latter (A to Q) step. We obtain attack success rates that are comparable to/ better than leading adversarial attack methods on the JailbreakBench leaderboard, while being significantly more stable against defenses such as Smooth-LLM and Synonym Substitution, which are effective against existing all attacks on the leaderboard.
title Does Safety Training of LLMs Generalize to Semantically Related Natural Prompts?
topic Computation and Language
Artificial Intelligence
url https://arxiv.org/abs/2412.03235