Beyond Suffixes: Token Position in GCG Adversarial Attacks on Large Language Models
This work addresses a critical blind spot in safety evaluations for LLMs, which is important for developers and users concerned with model robustness, though it is incremental as it builds on existing GCG attack methods.
The paper tackled the problem of jailbreak attacks on large language models by investigating how the placement of adversarial tokens within prompts affects attack success, showing that optimizing for prefixes instead of suffixes and varying token positions can substantially influence rates.
Large Language Models (LLMs) have seen widespread adoption across multiple domains, creating an urgent need for robust safety alignment mechanisms. However, robustness remains challenging due to jailbreak attacks that bypass alignment via adversarial prompts. In this work, we focus on the prevalent Greedy Coordinate Gradient (GCG) attack and identify a previously underexplored attack axis in jailbreak attacks typically framed as suffix-based: the placement of adversarial tokens within the prompt. Using GCG as a case study, we show that both optimizing attacks to generate prefixes instead of suffixes and varying adversarial token position during evaluation substantially influence attack success rates. Our findings highlight a critical blind spot in current safety evaluations and underline the need to account for the position of adversarial tokens in the adversarial robustness evaluation of LLMs.