LLMs can be Dangerous Reasoners: Analyzing-based Jailbreak Attack on Large Language Models

TL;DR

This paper introduces a novel black-box attack method called Analyzing-based Jailbreak (ABJ) that manipulates the internal reasoning processes of large language and multimodal models to bypass safety measures, exposing significant safety vulnerabilities.

Contribution

It uncovers an underexplored threat vector by targeting models' reasoning chains and proposes a new attack method that demonstrates high success and transferability across various models.

Findings

ABJ achieves an 82.1% attack success rate on GPT-4.

ABJ effectively exploits multimodal reasoning capabilities.

The attack demonstrates high transferability and efficiency.

Abstract

The rapid development of Large Language Models (LLMs) has brought impressive advancements across various tasks. However, despite these achievements, LLMs still pose inherent safety risks, especially in the context of jailbreak attacks. Most existing jailbreak methods follow an input-level manipulation paradigm to bypass safety mechanisms. Yet, as alignment techniques improve, such attacks are becoming increasingly detectable. In this work, we identify an underexplored threat vector: the model's internal reasoning process, which can be manipulated to elicit harmful outputs in a more stealthy way. To explore this overlooked attack surface, we propose a novel black-box jailbreak attack method, Analyzing-based Jailbreak (ABJ). ABJ comprises two independent attack paths: textual and visual reasoning attacks, which exploit the model's multimodal reasoning capabilities to bypass safety mechanisms, comprehensively exposing vulnerabilities in its reasoning chain. We conduct extensive experiments on ABJ across various open-source and closed-source LLMs, VLMs, and RLMs. In particular, ABJ achieves high attack success rate (ASR) (82.1% on GPT-4o-2024-11-20) with exceptional attack efficiency (AE) among all target models, showcasing its remarkable attack effectiveness, transferability, and efficiency. Our work reveals a new type of safety risk and highlights the urgent need to mitigate implicit vulnerabilities in the model's reasoning process.