Jailbroken: How Does LLM Safety Training Fail?

Alexander Wei; Nika Haghtalab; Jacob Steinhardt

arXiv:2307.02483·cs.LG·July 6, 2023·66 cites

Jailbroken: How Does LLM Safety Training Fail?

Alexander Wei, Nika Haghtalab, Jacob Steinhardt

PDF

Open Access 1 Repo 1 Models 5 Datasets 1 Video

TL;DR

This paper investigates why large language models' safety training fails to prevent adversarial jailbreaks, identifying key failure modes and demonstrating persistent vulnerabilities even in state-of-the-art models like GPT-4 and Claude v1.3.

Contribution

It introduces two failure modes of safety training—competing objectives and mismatched generalization—and evaluates their impact on model vulnerabilities against new and existing jailbreak attacks.

Findings

01

Vulnerabilities persist despite extensive safety training.

02

New attacks exploiting failure modes succeed on all tested prompts.

03

Safety mechanisms need to match model capabilities for effective safety.

Abstract

Large language models trained for safety and harmlessness remain susceptible to adversarial misuse, as evidenced by the prevalence of "jailbreak" attacks on early releases of ChatGPT that elicit undesired behavior. Going beyond recognition of the issue, we investigate why such attacks succeed and how they can be created. We hypothesize two failure modes of safety training: competing objectives and mismatched generalization. Competing objectives arise when a model's capabilities and safety goals conflict, while mismatched generalization occurs when safety training fails to generalize to a domain for which capabilities exist. We use these failure modes to guide jailbreak design and then evaluate state-of-the-art models, including OpenAI's GPT-4 and Anthropic's Claude v1.3, against both existing and newly designed attacks. We find that vulnerabilities persist despite the extensive…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

cassidylaidlaw/hidden-context
pytorch

Models

🤗
DavidTKeane/cyberranger-v42
model· 51 dl· ♡ 1
51 dl♡ 1

Datasets

Videos

Jailbroken: How Does LLM Safety Training Fail?· slideslive

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Artificial Intelligence in Healthcare and Education · Ethics and Social Impacts of AI

MethodsMulti-Head Attention · Attention Is All You Need · Dense Connections · Dropout · Byte Pair Encoding · Softmax · Layer Normalization · Position-Wise Feed-Forward Layer · Linear Layer · Absolute Position Encodings