Baseline Defenses for Adversarial Attacks Against Aligned Language Models

TL;DR

This paper evaluates baseline defense strategies against adversarial attacks on large language models, analyzing their effectiveness, practicality, and the unique security challenges compared to computer vision.

Contribution

It provides a systematic evaluation of detection, preprocessing, and adversarial training defenses for LLMs, highlighting their strengths and limitations in various threat models.

Findings

Existing text optimizers are weak and costly, making adaptive attacks challenging.

Filtering and preprocessing defenses show promise in improving LLM robustness.

Further research needed to develop stronger optimizers or defenses in the LLM domain.

Abstract

As Large Language Models quickly become ubiquitous, it becomes critical to understand their security vulnerabilities. Recent work shows that text optimizers can produce jailbreaking prompts that bypass moderation and alignment. Drawing from the rich body of work on adversarial machine learning, we approach these attacks with three questions: What threat models are practically useful in this domain? How do baseline defense techniques perform in this new domain? How does LLM security differ from computer vision? We evaluate several baseline defense strategies against leading adversarial attacks on LLMs, discussing the various settings in which each is feasible and effective. Particularly, we look at three types of defenses: detection (perplexity based), input preprocessing (paraphrase and retokenization), and adversarial training. We discuss white-box and gray-box settings and discuss the robustness-performance trade-off for each of the defenses considered. We find that the weakness of existing discrete optimizers for text, combined with the relatively high costs of optimization, makes standard adaptive attacks more challenging for LLMs. Future research will be needed to uncover whether more powerful optimizers can be developed, or whether the strength of filtering and preprocessing defenses is greater in the LLMs domain than it has been in computer vision.