Hijacking Large Language Models via Adversarial In-Context Learning

TL;DR

This paper reveals security vulnerabilities in large language models during in-context learning by introducing a novel adversarial prompt injection attack and proposing defense strategies to improve robustness.

Contribution

It presents a transferable, gradient-based prompt injection attack against ICL and introduces defense methods using clean demos to enhance LLM robustness.

Findings

The attack effectively hijacks LLM outputs across tasks.

Defense strategies significantly reduce attack success rate.

Experimental results validate the attack's transferability and defense effectiveness.

Abstract

In-context learning (ICL) has emerged as a powerful paradigm leveraging LLMs for specific downstream tasks by utilizing labeled examples as demonstrations (demos) in the preconditioned prompts. Despite its promising performance, crafted adversarial attacks pose a notable threat to the robustness of LLMs. Existing attacks are either easy to detect, require a trigger in user input, or lack specificity towards ICL. To address these issues, this work introduces a novel transferable prompt injection attack against ICL, aiming to hijack LLMs to generate the target output or elicit harmful responses. In our threat model, the hacker acts as a model publisher who leverages a gradient-based prompt search method to learn and append imperceptible adversarial suffixes to the in-context demos via prompt injection. We also propose effective defense strategies using a few shots of clean demos, enhancing the robustness of LLMs during ICL. Extensive experimental results across various classification and jailbreak tasks demonstrate the effectiveness of the proposed attack and defense strategies. This work highlights the significant security vulnerabilities of LLMs during ICL and underscores the need for further in-depth studies.