Imposter.AI: Adversarial Attacks with Hidden Intentions towards Aligned Large Language Models
This work addresses a critical vulnerability in LLM safety for developers and users, highlighting a novel attack mechanism that could undermine existing safety measures.
The paper tackles the problem of extracting harmful information from aligned large language models (LLMs) by introducing an adversarial attack method that uses human conversation strategies, such as decomposing and rewriting questions, and demonstrates marked efficacy on models like GPT-3.5-turbo, GPT-4, and Llama2 compared to conventional methods.
With the development of large language models (LLMs) like ChatGPT, both their vast applications and potential vulnerabilities have come to the forefront. While developers have integrated multiple safety mechanisms to mitigate their misuse, a risk remains, particularly when models encounter adversarial inputs. This study unveils an attack mechanism that capitalizes on human conversation strategies to extract harmful information from LLMs. We delineate three pivotal strategies: (i) decomposing malicious questions into seemingly innocent sub-questions; (ii) rewriting overtly malicious questions into more covert, benign-sounding ones; (iii) enhancing the harmfulness of responses by prompting models for illustrative examples. Unlike conventional methods that target explicit malicious responses, our approach delves deeper into the nature of the information provided in responses. Through our experiments conducted on GPT-3.5-turbo, GPT-4, and Llama2, our method has demonstrated a marked efficacy compared to conventional attack methods. In summary, this work introduces a novel attack method that outperforms previous approaches, raising an important question: How to discern whether the ultimate intent in a dialogue is malicious?