Play Guessing Game with LLM: Indirect Jailbreak Attack with Implicit Clues

TL;DR

This paper introduces Puzzler, an indirect jailbreak attack on LLMs that uses implicit clues to bypass defenses, achieving high success rates and evading detection more effectively than existing methods.

Contribution

The paper presents Puzzler, a novel indirect jailbreak approach that leverages implicit clues to bypass LLM defenses and evade detection, outperforming baseline methods.

Findings

Puzzler achieves a 96.6% success rate on closed-source LLMs.

Puzzler outperforms baseline attacks by 57.9%-82.7%.

Puzzler effectively evades state-of-the-art jailbreak detection methods.

Abstract

With the development of LLMs, the security threats of LLMs are getting more and more attention. Numerous jailbreak attacks have been proposed to assess the security defense of LLMs. Current jailbreak attacks primarily utilize scenario camouflage techniques. However their explicitly mention of malicious intent will be easily recognized and defended by LLMs. In this paper, we propose an indirect jailbreak attack approach, Puzzler, which can bypass the LLM's defense strategy and obtain malicious response by implicitly providing LLMs with some clues about the original malicious query. In addition, inspired by the wisdom of "When unable to attack, defend" from Sun Tzu's Art of War, we adopt a defensive stance to gather clues about the original malicious query through LLMs. Extensive experimental results show that Puzzler achieves a query success rate of 96.6% on closed-source LLMs, which is 57.9%-82.7% higher than baselines. Furthermore, when tested against the state-of-the-art jailbreak detection approaches, Puzzler proves to be more effective at evading detection compared to baselines.