Jailbreaking Large Language Models Against Moderation Guardrails via Cipher Characters

TL;DR

This paper introduces JAMBench, a benchmark for evaluating LLM moderation guardrails, and proposes JAM, a novel jailbreak method that effectively bypasses both input and output filters, demonstrating significantly improved success rates.

Contribution

The paper presents JAMBench, a comprehensive benchmark for testing moderation guardrails, and introduces JAM, a new jailbreak technique that outperforms existing methods in bypassing safety measures.

Findings

JAM achieves approximately 19.88 times higher success rate than baselines.

JAM reduces filtered-out responses to about one-sixth of previous rates.

Experiments on four LLMs validate the effectiveness of JAM against moderation guardrails.

Abstract

Large Language Models (LLMs) are typically harmless but remain vulnerable to carefully crafted prompts known as ``jailbreaks'', which can bypass protective measures and induce harmful behavior. Recent advancements in LLMs have incorporated moderation guardrails that can filter outputs, which trigger processing errors for certain malicious questions. Existing red-teaming benchmarks often neglect to include questions that trigger moderation guardrails, making it difficult to evaluate jailbreak effectiveness. To address this issue, we introduce JAMBench, a harmful behavior benchmark designed to trigger and evaluate moderation guardrails. JAMBench involves 160 manually crafted instructions covering four major risk categories at multiple severity levels. Furthermore, we propose a jailbreak method, JAM (Jailbreak Against Moderation), designed to attack moderation guardrails using jailbreak prefixes to bypass input-level filters and a fine-tuned shadow model functionally equivalent to the guardrail model to generate cipher characters to bypass output-level filters. Our extensive experiments on four LLMs demonstrate that JAM achieves higher jailbreak success ($\sim$ $\times$ 19.88) and lower filtered-out rates ($\sim$ $\times$ 1/6) than baselines.