Don't Say No: Jailbreaking LLM by Suppressing Refusal

TL;DR

This paper introduces DSN, a novel attack method that effectively jailbreaks LLMs by suppressing refusal, outperforming existing methods in success rate and transferability across models and datasets.

Contribution

The study identifies limitations of existing attack methods and proposes DSN, a new approach combining cosine decay and refusal suppression to enhance attack success and universality.

Findings

DSN achieves higher success rates than baseline attacks.

DSN demonstrates strong transferability to unseen datasets and black-box models.

The proposed enhancements improve the effectiveness of jailbreaking LLMs.

Abstract

Ensuring the safety alignment of Large Language Models (LLMs) is critical for generating responses consistent with human values. However, LLMs remain vulnerable to jailbreaking attacks, where carefully crafted prompts manipulate them into producing toxic content. One category of such attacks reformulates the task as an optimization problem, aiming to elicit affirmative responses from the LLM. However, these methods heavily rely on predefined objectionable behaviors, limiting their effectiveness and adaptability to diverse harmful queries. In this study, we first identify why the vanilla target loss is suboptimal and then propose enhancements to the loss objective. We introduce DSN (Don't Say No) attack, which combines a cosine decay schedule method with refusal suppression to achieve higher success rates. Extensive experiments demonstrate that DSN outperforms baseline attacks and achieves state-of-the-art attack success rates (ASR). DSN also shows strong universality and transferability to unseen datasets and black-box models.