StructuralSleight: Automated Jailbreak Attacks on Large Language Models Utilizing Uncommon Text-Organization Structures

TL;DR

This paper introduces StructuralSleight, a novel attack method exploiting uncommon text-organization structures to effectively jailbreak large language models, achieving high success rates especially on GPT-4o.

Contribution

It presents a new structure-level attack approach using UTOS templates and obfuscation methods, significantly improving attack success over existing techniques.

Findings

Achieves 94.62% success rate on GPT-4o

Outperforms baseline attack methods

Effectively exploits prompt structure for jailbreaks

Abstract

Large Language Models (LLMs) are widely used in natural language processing but face the risk of jailbreak attacks that maliciously induce them to generate harmful content. Existing jailbreak attacks, including character-level and context-level attacks, mainly focus on the prompt of plain text without specifically exploring the significant influence of its structure. In this paper, we focus on studying how the prompt structure contributes to the jailbreak attack. We introduce a novel structure-level attack method based on long-tailed structures, which we refer to as Uncommon Text-Organization Structures (UTOS). We extensively study 12 UTOS templates and 6 obfuscation methods to build an effective automated jailbreak tool named StructuralSleight that contains three escalating attack strategies: Structural Attack, Structural and Character/Context Obfuscation Attack, and Fully Obfuscated Structural Attack. Extensive experiments on existing LLMs show that StructuralSleight significantly outperforms the baseline methods. In particular, the attack success rate reaches 94.62\% on GPT-4o, which has not been addressed by state-of-the-art techniques.