Saved in:
Bibliographic Details
Main Authors: Li, Xitao, Wang, Haijun, Wu, Jiang, Liu, Ting
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.05689
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909571307536384
author Li, Xitao
Wang, Haijun
Wu, Jiang
Liu, Ting
author_facet Li, Xitao
Wang, Haijun
Wu, Jiang
Liu, Ting
contents Conversational large language models (LLMs) have gained widespread attention due to their instruction-following capabilities. To ensure conversational LLMs follow instructions, role separators are employed to distinguish between different participants in a conversation. However, incorporating role separators introduces potential vulnerabilities. Misusing roles can lead to prompt injection attacks, which can easily misalign the model's behavior with the user's intentions, raising significant security concerns. Although various prompt injection attacks have been proposed, recent research has largely overlooked the impact of role separators on safety. This highlights the critical need to thoroughly understand the systemic weaknesses in dialogue systems caused by role separators. This paper identifies modeling weaknesses caused by role separators. Specifically, we observe a strong positional bias associated with role separators, which is inherent in the format of dialogue modeling and can be triggered by the insertion of role separators. We further develop the Separators Injection Attack (SIA), a new orthometric attack based on role separators. The experiment results show that SIA is efficient and extensive in manipulating model behavior with an average gain of 18.2% for manual methods and enhances the attack success rate to 100% with automatic methods.
format Preprint
id arxiv_https___arxiv_org_abs_2504_05689
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Separator Injection Attack: Uncovering Dialogue Biases in Large Language Models Caused by Role Separators
Li, Xitao
Wang, Haijun
Wu, Jiang
Liu, Ting
Computation and Language
Cryptography and Security
Conversational large language models (LLMs) have gained widespread attention due to their instruction-following capabilities. To ensure conversational LLMs follow instructions, role separators are employed to distinguish between different participants in a conversation. However, incorporating role separators introduces potential vulnerabilities. Misusing roles can lead to prompt injection attacks, which can easily misalign the model's behavior with the user's intentions, raising significant security concerns. Although various prompt injection attacks have been proposed, recent research has largely overlooked the impact of role separators on safety. This highlights the critical need to thoroughly understand the systemic weaknesses in dialogue systems caused by role separators. This paper identifies modeling weaknesses caused by role separators. Specifically, we observe a strong positional bias associated with role separators, which is inherent in the format of dialogue modeling and can be triggered by the insertion of role separators. We further develop the Separators Injection Attack (SIA), a new orthometric attack based on role separators. The experiment results show that SIA is efficient and extensive in manipulating model behavior with an average gain of 18.2% for manual methods and enhances the attack success rate to 100% with automatic methods.
title Separator Injection Attack: Uncovering Dialogue Biases in Large Language Models Caused by Role Separators
topic Computation and Language
Cryptography and Security
url https://arxiv.org/abs/2504.05689