ASTPrompter: Preference-Aligned Automated Language Model Red-Teaming to Generate Low-Perplexity Unsafe Prompts

TL;DR

ASTPrompter introduces a novel red-teaming method for language models that generates low-perplexity, high-success prompts, revealing more realistic and impactful vulnerabilities while maintaining low detectability.

Contribution

It presents a contrastive preference learning approach for low-perplexity prompt generation, significantly improving attack success rates and transferability across models.

Findings

Achieves 5.1x higher attack success rate on Llama-8.1B.

Generates prompts 2.1x more likely to occur naturally.

Transfers effectively to multiple other LLMs.

Abstract

Existing LLM red-teaming approaches prioritize high attack success rate, often resulting in high-perplexity prompts. This focus overlooks low-perplexity attacks that are more difficult to filter, more likely to arise during benign usage, and more impactful as negative downstream training examples. In response, we introduce ASTPrompter, a single-step optimization method that uses contrastive preference learning to train an attacker to maintain low perplexity while achieving a high attack success rate (ASR). ASTPrompter achieves an attack success rate 5.1 times higher on Llama-8.1B while using inputs that are 2.1 times more likely to occur according to the frozen LLM. Furthermore, our attack transfers to Mistral-7B, Qwen-7B, and TinyLlama in both black- and white-box settings. Lastly, by tuning a single hyperparameter in our method, we discover successful attack prefixes along an efficient frontier between ASR and perplexity, highlighting perplexity as a previously under-considered factor in red-teaming.