Improved Techniques for Optimization-Based Jailbreaking on Large Language Models

TL;DR

This paper introduces improved optimization-based techniques for jailbreaking large language models, significantly increasing attack success rates by diversifying templates and optimizing update strategies, thus advancing safety testing methods.

Contribution

The paper proposes novel empirical improvements to GCG, including diverse target templates and adaptive multi-coordinate updates, resulting in a more effective jailbreak method called I-GCG.

Findings

Achieves nearly 100% attack success rate on benchmarks

Outperforms state-of-the-art jailbreaking attacks

Demonstrates effectiveness of diversified templates and adaptive strategies

Abstract

Large language models (LLMs) are being rapidly developed, and a key component of their widespread deployment is their safety-related alignment. Many red-teaming efforts aim to jailbreak LLMs, where among these efforts, the Greedy Coordinate Gradient (GCG) attack's success has led to a growing interest in the study of optimization-based jailbreaking techniques. Although GCG is a significant milestone, its attacking efficiency remains unsatisfactory. In this paper, we present several improved (empirical) techniques for optimization-based jailbreaks like GCG. We first observe that the single target template of "Sure" largely limits the attacking performance of GCG; given this, we propose to apply diverse target templates containing harmful self-suggestion and/or guidance to mislead LLMs. Besides, from the optimization aspects, we propose an automatic multi-coordinate updating strategy in GCG (i.e., adaptively deciding how many tokens to replace in each step) to accelerate convergence, as well as tricks like easy-to-hard initialisation. Then, we combine these improved technologies to develop an efficient jailbreak method, dubbed I-GCG. In our experiments, we evaluate on a series of benchmarks (such as NeurIPS 2023 Red Teaming Track). The results demonstrate that our improved techniques can help GCG outperform state-of-the-art jailbreaking attacks and achieve nearly 100% attack success rate. The code is released at https://github.com/jiaxiaojunQAQ/I-GCG.