Jailbreaking Large Language Models in Infinitely Many Ways
This addresses a critical safety issue for users of powerful commercial LLMs by exposing vulnerabilities that could lead to harmful content generation, though it is incremental as it builds on known jailbreaking techniques.
The paper tackles the problem of jailbreaking large language models (LLMs) through 'Infinitely Many Paraphrases' attacks, which exploit models' ability to handle paraphrases and encoded communications to bypass safety mechanisms, showing these attacks can generate content violating policies in powerful commercial LLMs. It proposes defensive strategies like improving guardrails and scaling them with model capabilities to mitigate such threats.
We discuss the ``Infinitely Many Paraphrases'' attacks (IMP), a category of jailbreaks that leverages the increasing capabilities of a model to handle paraphrases and encoded communications to bypass their defensive mechanisms. IMPs' viability pairs and grows with a model's capabilities to handle and bind the semantics of simple mappings between tokens and work extremely well in practice, posing a concrete threat to the users of the most powerful LLMs in commerce. We show how one can bypass the safeguards of the most powerful open- and closed-source LLMs and generate content that explicitly violates their safety policies. One can protect against IMPs by improving the guardrails and making them scale with the LLMs' capabilities. For two categories of attacks that are straightforward to implement, i.e., bijection and encoding, we discuss two defensive strategies, one in token and the other in embedding space. We conclude with some research questions we believe should be prioritised to enhance the defensive mechanisms of LLMs and our understanding of their safety.