Can Large Language Models Automatically Jailbreak GPT-4V?

TL;DR

This paper introduces AutoJailbreak, an automated prompt optimization method using LLMs to effectively exploit GPT-4V vulnerabilities, achieving over 95% success rate and highlighting security concerns.

Contribution

The study presents a novel automatic jailbreak technique leveraging LLMs for prompt refinement, improving efficiency and success rate over traditional methods.

Findings

AutoJailbreak achieves over 95.3% attack success rate.

The method significantly outperforms conventional jailbreak approaches.

Efficient search with early stopping reduces optimization time.

Abstract

GPT-4V has attracted considerable attention due to its extraordinary capacity for integrating and processing multimodal information. At the same time, its ability of face recognition raises new safety concerns of privacy leakage. Despite researchers' efforts in safety alignment through RLHF or preprocessing filters, vulnerabilities might still be exploited. In our study, we introduce AutoJailbreak, an innovative automatic jailbreak technique inspired by prompt optimization. We leverage Large Language Models (LLMs) for red-teaming to refine the jailbreak prompt and employ weak-to-strong in-context learning prompts to boost efficiency. Furthermore, we present an effective search method that incorporates early stopping to minimize optimization time and token expenditure. Our experiments demonstrate that AutoJailbreak significantly surpasses conventional methods, achieving an Attack Success Rate (ASR) exceeding 95.3\%. This research sheds light on strengthening GPT-4V security, underscoring the potential for LLMs to be exploited in compromising GPT-4V integrity.