Round Trip Translation Defence against Large Language Model Jailbreaking Attacks

TL;DR

This paper introduces the Round Trip Translation (RTT) method, a novel, lightweight algorithm that significantly improves defenses against social-engineered attacks on large language models, including PAIR and MathsAttack, by paraphrasing prompts.

Contribution

The paper presents the first RTT algorithm specifically designed to defend against social-engineered LLM attacks, achieving over 70% mitigation of PAIR attacks and reducing MathsAttack success by nearly 40%.

Findings

RTT mitigated over 70% of PAIR attacks.

RTT reduced MathsAttack success rate by almost 40%.

The method is versatile, lightweight, and transferable across different LLMs.

Abstract

Large language models (LLMs) are susceptible to social-engineered attacks that are human-interpretable but require a high level of comprehension for LLMs to counteract. Existing defensive measures can only mitigate less than half of these attacks at most. To address this issue, we propose the Round Trip Translation (RTT) method, the first algorithm specifically designed to defend against social-engineered attacks on LLMs. RTT paraphrases the adversarial prompt and generalizes the idea conveyed, making it easier for LLMs to detect induced harmful behavior. This method is versatile, lightweight, and transferrable to different LLMs. Our defense successfully mitigated over 70% of Prompt Automatic Iterative Refinement (PAIR) attacks, which is currently the most effective defense to the best of our knowledge. We are also the first to attempt mitigating the MathsAttack and reduced its attack success rate by almost 40%. Our code is publicly available at https://github.com/Cancanxxx/Round_Trip_Translation_Defence This version of the article has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: https://doi.org/10.48550/arXiv.2402.13517 Use of this Accepted Version is subject to the publisher's Accepted Manuscript terms of use https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms