Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study

TL;DR

This study empirically investigates how various prompt structures can bypass ChatGPT's content restrictions, analyzing prompt types, effectiveness, and model resilience across multiple scenarios.

Contribution

It classifies jailbreak prompts into ten patterns and three categories, evaluates their effectiveness on ChatGPT versions 3.5 and 4.0, and assesses model resistance.

Findings

Jailbreak prompts can bypass restrictions in 40 scenarios.

Ten distinct prompt patterns and three categories identified.

ChatGPT 4.0 shows some increased resilience.

Abstract

Large Language Models (LLMs), like ChatGPT, have demonstrated vast potential but also introduce challenges related to content constraints and potential misuse. Our study investigates three key research questions: (1) the number of different prompt types that can jailbreak LLMs, (2) the effectiveness of jailbreak prompts in circumventing LLM constraints, and (3) the resilience of ChatGPT against these jailbreak prompts. Initially, we develop a classification model to analyze the distribution of existing prompts, identifying ten distinct patterns and three categories of jailbreak prompts. Subsequently, we assess the jailbreak capability of prompts with ChatGPT versions 3.5 and 4.0, utilizing a dataset of 3,120 jailbreak questions across eight prohibited scenarios. Finally, we evaluate the resistance of ChatGPT against jailbreak prompts, finding that the prompts can consistently evade the restrictions in 40 use-case scenarios. The study underscores the importance of prompt structures in jailbreaking LLMs and discusses the challenges of robust jailbreak prompt generation and prevention.