When LLM Meets DRL: Advancing Jailbreaking Efficiency via DRL-guided Search

TL;DR

This paper introduces RLbreaker, a deep reinforcement learning-based method for black-box jailbreaking of large language models, significantly improving attack effectiveness and robustness over existing genetic algorithm approaches.

Contribution

The paper presents RLbreaker, a novel DRL-guided search framework with a custom reward and PPO algorithm, advancing jailbreaking attack efficiency and transferability.

Findings

RLbreaker outperforms existing attacks on six SOTA LLMs.

RLbreaker remains effective against three SOTA defenses.

Trained RL agents transfer across different LLMs.

Abstract

Recent studies developed jailbreaking attacks, which construct jailbreaking prompts to fool LLMs into responding to harmful questions. Early-stage jailbreaking attacks require access to model internals or significant human efforts. More advanced attacks utilize genetic algorithms for automatic and black-box attacks. However, the random nature of genetic algorithms significantly limits the effectiveness of these attacks. In this paper, we propose RLbreaker, a black-box jailbreaking attack driven by deep reinforcement learning (DRL). We model jailbreaking as a search problem and design an RL agent to guide the search, which is more effective and has less randomness than stochastic search, such as genetic algorithms. Specifically, we design a customized DRL system for the jailbreaking problem, including a novel reward function and a customized proximal policy optimization (PPO) algorithm. Through extensive experiments, we demonstrate that RLbreaker is much more effective than existing jailbreaking attacks against six state-of-the-art (SOTA) LLMs. We also show that RLbreaker is robust against three SOTA defenses and its trained agents can transfer across different LLMs. We further validate the key design choices of RLbreaker via a comprehensive ablation study.