Tree of Attacks: Jailbreaking Black-Box LLMs Automatically

TL;DR

This paper introduces TAP, an automated black-box attack method that efficiently generates prompts to jailbreak advanced LLMs, including those with guardrails, by using an attacker LLM to refine prompts and prune unlikely candidates, achieving high success rates.

Contribution

TAP is a novel automated approach that improves jailbreak success rates and reduces query counts by combining prompt refinement and pruning using an attacker LLM.

Findings

TAP achieves over 80% success in jailbreaking state-of-the-art LLMs.

TAP outperforms previous black-box methods in effectiveness and efficiency.

TAP can bypass guardrails like LlamaGuard successfully.

Abstract

While Large Language Models (LLMs) display versatile functionality, they continue to generate harmful, biased, and toxic content, as demonstrated by the prevalence of human-designed jailbreaks. In this work, we present Tree of Attacks with Pruning (TAP), an automated method for generating jailbreaks that only requires black-box access to the target LLM. TAP utilizes an attacker LLM to iteratively refine candidate (attack) prompts until one of the refined prompts jailbreaks the target. In addition, before sending prompts to the target, TAP assesses them and prunes the ones unlikely to result in jailbreaks, reducing the number of queries sent to the target LLM. In empirical evaluations, we observe that TAP generates prompts that jailbreak state-of-the-art LLMs (including GPT4-Turbo and GPT4o) for more than 80% of the prompts. This significantly improves upon the previous state-of-the-art black-box methods for generating jailbreaks while using a smaller number of queries than them. Furthermore, TAP is also capable of jailbreaking LLMs protected by state-of-the-art guardrails, e.g., LlamaGuard.