GASP: Efficient Black-Box Generation of Adversarial Suffixes for Jailbreaking LLMs
This addresses the vulnerability of LLMs to jailbreak attacks, offering an efficient automated solution for red-teaming, though it is incremental as it builds on existing optimization-based methods.
The paper tackles the problem of generating adversarial suffixes to jailbreak LLMs, introducing GASP, which improves jailbreak success rates, reduces training times, and accelerates inference speed compared to baselines.
LLMs have shown impressive capabilities across various natural language processing tasks, yet remain vulnerable to input prompts, known as jailbreak attacks, carefully designed to bypass safety guardrails and elicit harmful responses. Traditional methods rely on manual heuristics but suffer from limited generalizability. Despite being automatic, optimization-based attacks often produce unnatural prompts that can be easily detected by safety filters or require high computational costs due to discrete token optimization. In this paper, we introduce Generative Adversarial Suffix Prompter (GASP), a novel automated framework that can efficiently generate human-readable jailbreak prompts in a fully black-box setting. In particular, GASP leverages latent Bayesian optimization to craft adversarial suffixes by efficiently exploring continuous latent embedding spaces, gradually optimizing the suffix prompter to improve attack efficacy while balancing prompt coherence via a targeted iterative refinement procedure. Through comprehensive experiments, we show that GASP can produce natural adversarial prompts, significantly improving jailbreak success over baselines, reducing training times, and accelerating inference speed, thus making it an efficient and scalable solution for red-teaming LLMs.