PRP: Propagating Universal Perturbations to Attack Large Language Model Guard-Rails
This work addresses a critical security problem for AI safety by exposing weaknesses in current Guard Model defenses, highlighting the need for improved protections against harmful content generation.
The authors tackled the vulnerability of Guard Models in large language models to automated jailbreak attacks by introducing PRP, a two-step prefix-based attack that successfully bypassed defenses in both open-source and closed-source implementations, achieving high attack success rates without requiring access to the Guard Model.
Large language models (LLMs) are typically aligned to be harmless to humans. Unfortunately, recent work has shown that such models are susceptible to automated jailbreak attacks that induce them to generate harmful content. More recent LLMs often incorporate an additional layer of defense, a Guard Model, which is a second LLM that is designed to check and moderate the output response of the primary LLM. Our key contribution is to show a novel attack strategy, PRP, that is successful against several open-source (e.g., Llama 2) and closed-source (e.g., GPT 3.5) implementations of Guard Models. PRP leverages a two step prefix-based attack that operates by (a) constructing a universal adversarial prefix for the Guard Model, and (b) propagating this prefix to the response. We find that this procedure is effective across multiple threat models, including ones in which the adversary has no access to the Guard Model at all. Our work suggests that further advances are required on defenses and Guard Models before they can be considered effective.