Saved in:
Bibliographic Details
Main Authors: Wang, Hao, Li, Hao, Zhu, Junda, Wang, Xinyuan, Pan, Chengwei, Huang, MinLie, Sha, Lei
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.17522
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909448435400704
author Wang, Hao
Li, Hao
Zhu, Junda
Wang, Xinyuan
Pan, Chengwei
Huang, MinLie
Sha, Lei
author_facet Wang, Hao
Li, Hao
Zhu, Junda
Wang, Xinyuan
Pan, Chengwei
Huang, MinLie
Sha, Lei
contents Large Language Models (LLMs) are susceptible to generating harmful content when prompted with carefully crafted inputs, a vulnerability known as LLM jailbreaking. As LLMs become more powerful, studying jailbreak methods is critical to enhancing security and aligning models with human values. Traditionally, jailbreak techniques have relied on suffix addition or prompt templates, but these methods suffer from limited attack diversity. This paper introduces DiffusionAttacker, an end-to-end generative approach for jailbreak rewriting inspired by diffusion models. Our method employs a sequence-to-sequence (seq2seq) text diffusion model as a generator, conditioning on the original prompt and guiding the denoising process with a novel attack loss. Unlike previous approaches that use autoregressive LLMs to generate jailbreak prompts, which limit the modification of already generated tokens and restrict the rewriting space, DiffusionAttacker utilizes a seq2seq diffusion model, allowing more flexible token modifications. This approach preserves the semantic content of the original prompt while producing harmful content. Additionally, we leverage the Gumbel-Softmax technique to make the sampling process from the diffusion model's output distribution differentiable, eliminating the need for iterative token search. Extensive experiments on Advbench and Harmbench demonstrate that DiffusionAttacker outperforms previous methods across various evaluation metrics, including attack success rate (ASR), fluency, and diversity.
format Preprint
id arxiv_https___arxiv_org_abs_2412_17522
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle DiffusionAttacker: Diffusion-Driven Prompt Manipulation for LLM Jailbreak
Wang, Hao
Li, Hao
Zhu, Junda
Wang, Xinyuan
Pan, Chengwei
Huang, MinLie
Sha, Lei
Computation and Language
Large Language Models (LLMs) are susceptible to generating harmful content when prompted with carefully crafted inputs, a vulnerability known as LLM jailbreaking. As LLMs become more powerful, studying jailbreak methods is critical to enhancing security and aligning models with human values. Traditionally, jailbreak techniques have relied on suffix addition or prompt templates, but these methods suffer from limited attack diversity. This paper introduces DiffusionAttacker, an end-to-end generative approach for jailbreak rewriting inspired by diffusion models. Our method employs a sequence-to-sequence (seq2seq) text diffusion model as a generator, conditioning on the original prompt and guiding the denoising process with a novel attack loss. Unlike previous approaches that use autoregressive LLMs to generate jailbreak prompts, which limit the modification of already generated tokens and restrict the rewriting space, DiffusionAttacker utilizes a seq2seq diffusion model, allowing more flexible token modifications. This approach preserves the semantic content of the original prompt while producing harmful content. Additionally, we leverage the Gumbel-Softmax technique to make the sampling process from the diffusion model's output distribution differentiable, eliminating the need for iterative token search. Extensive experiments on Advbench and Harmbench demonstrate that DiffusionAttacker outperforms previous methods across various evaluation metrics, including attack success rate (ASR), fluency, and diversity.
title DiffusionAttacker: Diffusion-Driven Prompt Manipulation for LLM Jailbreak
topic Computation and Language
url https://arxiv.org/abs/2412.17522