The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections
This work addresses the critical issue of ensuring reliable and robust defenses for language models against adaptive attacks, which is essential for preventing harmful outputs and malicious actions in AI systems.
The paper tackled the problem of evaluating the robustness of language model defenses against jailbreaks and prompt injections by arguing that current evaluations are flawed and proposing to test against adaptive attackers. The result was that by systematically tuning and scaling optimization techniques, they bypassed 12 recent defenses with attack success rates above 90% for most, whereas the original defenses reported near-zero success rates.
How should we evaluate the robustness of language model defenses? Current defenses against jailbreaks and prompt injections (which aim to prevent an attacker from eliciting harmful knowledge or remotely triggering malicious actions, respectively) are typically evaluated either against a static set of harmful attack strings, or against computationally weak optimization methods that were not designed with the defense in mind. We argue that this evaluation process is flawed. Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a defense's design while spending considerable resources to optimize their objective. By systematically tuning and scaling general optimization techniques-gradient descent, reinforcement learning, random search, and human-guided exploration-we bypass 12 recent defenses (based on a diverse set of techniques) with attack success rate above 90% for most; importantly, the majority of defenses originally reported near-zero attack success rates. We believe that future defense work must consider stronger attacks, such as the ones we describe, in order to make reliable and convincing claims of robustness.