LatentBreak: Jailbreaking Large Language Models through Latent Space Feedback
This work addresses the challenge of bypassing safety mechanisms in LLMs for security researchers, though it is incremental as it builds on existing jailbreak techniques.
The authors tackled the problem of jailbreaking large language models by developing LatentBreak, a method that generates natural adversarial prompts with low perplexity to evade detection, achieving shorter and more effective prompts that outperform existing attacks against perplexity-based filters on safety-aligned models.
Jailbreaks are adversarial attacks designed to bypass the built-in safety mechanisms of large language models. Automated jailbreaks typically optimize an adversarial suffix or adapt long prompt templates by forcing the model to generate the initial part of a restricted or harmful response. In this work, we show that existing jailbreak attacks that leverage such mechanisms to unlock the model response can be detected by a straightforward perplexity-based filtering on the input prompt. To overcome this issue, we propose LatentBreak, a white-box jailbreak attack that generates natural adversarial prompts with low perplexity capable of evading such defenses. LatentBreak substitutes words in the input prompt with semantically-equivalent ones, preserving the initial intent of the prompt, instead of adding high-perplexity adversarial suffixes or long templates. These words are chosen by minimizing the distance in the latent space between the representation of the adversarial prompt and that of harmless requests. Our extensive evaluation shows that LatentBreak leads to shorter and low-perplexity prompts, thus outperforming competing jailbreak algorithms against perplexity-based filters on multiple safety-aligned models.