Jailbreaking LLMs with Arabic Transliteration and Arabizi

TL;DR

This paper explores how Arabic transliteration and Arabizi can be used to bypass safety measures in large language models, revealing vulnerabilities that are less apparent in standard Arabic prompts.

Contribution

It demonstrates that Arabic transliteration and Arabizi can effectively jailbreak LLMs, highlighting a new avenue for assessing and improving model safety across diverse language forms.

Findings

Unsafe content generated with transliteration and Arabizi

Standard Arabic prompts remained safe against manipulation

Models show increased vulnerability with non-standard language forms

Abstract

This study identifies the potential vulnerabilities of Large Language Models (LLMs) to 'jailbreak' attacks, specifically focusing on the Arabic language and its various forms. While most research has concentrated on English-based prompt manipulation, our investigation broadens the scope to investigate the Arabic language. We initially tested the AdvBench benchmark in Standardized Arabic, finding that even with prompt manipulation techniques like prefix injection, it was insufficient to provoke LLMs into generating unsafe content. However, when using Arabic transliteration and chatspeak (or arabizi), we found that unsafe content could be produced on platforms like OpenAI GPT-4 and Anthropic Claude 3 Sonnet. Our findings suggest that using Arabic and its various forms could expose information that might remain hidden, potentially increasing the risk of jailbreak attacks. We hypothesize that this exposure could be due to the model's learned connection to specific words, highlighting the need for more comprehensive safety training across all language forms.