Saved in:
Bibliographic Details
Main Authors: Xue, Zhiyu, Liu, Guangliang, Chen, Bocheng, Johnson, Kristen Marie, Pedarsani, Ramtin
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.12192
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916526683062272
author Xue, Zhiyu
Liu, Guangliang
Chen, Bocheng
Johnson, Kristen Marie
Pedarsani, Ramtin
author_facet Xue, Zhiyu
Liu, Guangliang
Chen, Bocheng
Johnson, Kristen Marie
Pedarsani, Ramtin
contents The security of Large Language Models (LLMs) has become an important research topic since the emergence of ChatGPT. Though there have been various effective methods to defend against jailbreak attacks, prefilling attacks remain an unsolved and popular threat against open-sourced LLMs. In-Context Learning (ICL) offers a computationally efficient defense against various jailbreak attacks, yet no effective ICL methods have been developed to counter prefilling attacks. In this paper, we: (1) show that ICL can effectively defend against prefilling jailbreak attacks by employing adversative sentence structures within demonstrations; (2) characterize the effectiveness of this defense through the lens of model size, number of demonstrations, over-defense, integration with other jailbreak attacks, and the presence of safety alignment. Given the experimental results and our analysis, we conclude that there is no free lunch for defending against prefilling jailbreak attacks with ICL. On the one hand, current safety alignment methods fail to mitigate prefilling jailbreak attacks, but adversative structures within ICL demonstrations provide robust defense across various model sizes and complex jailbreak attacks. On the other hand, LLMs exhibit similar over-defensiveness when utilizing ICL demonstrations with adversative structures, and this behavior appears to be independent of model size.
format Preprint
id arxiv_https___arxiv_org_abs_2412_12192
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle No Free Lunch for Defending Against Prefilling Attack by In-Context Learning
Xue, Zhiyu
Liu, Guangliang
Chen, Bocheng
Johnson, Kristen Marie
Pedarsani, Ramtin
Cryptography and Security
Artificial Intelligence
The security of Large Language Models (LLMs) has become an important research topic since the emergence of ChatGPT. Though there have been various effective methods to defend against jailbreak attacks, prefilling attacks remain an unsolved and popular threat against open-sourced LLMs. In-Context Learning (ICL) offers a computationally efficient defense against various jailbreak attacks, yet no effective ICL methods have been developed to counter prefilling attacks. In this paper, we: (1) show that ICL can effectively defend against prefilling jailbreak attacks by employing adversative sentence structures within demonstrations; (2) characterize the effectiveness of this defense through the lens of model size, number of demonstrations, over-defense, integration with other jailbreak attacks, and the presence of safety alignment. Given the experimental results and our analysis, we conclude that there is no free lunch for defending against prefilling jailbreak attacks with ICL. On the one hand, current safety alignment methods fail to mitigate prefilling jailbreak attacks, but adversative structures within ICL demonstrations provide robust defense across various model sizes and complex jailbreak attacks. On the other hand, LLMs exhibit similar over-defensiveness when utilizing ICL demonstrations with adversative structures, and this behavior appears to be independent of model size.
title No Free Lunch for Defending Against Prefilling Attack by In-Context Learning
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2412.12192