AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs
This addresses security risks in LLMs for users and developers by enhancing jailbreak attacks, though it is incremental as it builds on existing attack methods.
The paper tackles jailbreak vulnerabilities in Large Language Models by proposing an adaptive position pre-fill attack approach that exploits differences in alignment protection across output stages, improving the attack success rate by 47% on Llama2 compared to existing methods.
Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.