FlipAttack: Jailbreak LLMs via Flipping

TL;DR

FlipAttack is a simple, universal jailbreak method that uses left-side noise and text-flipping techniques to effectively bypass guardrails in black-box LLMs with minimal queries.

Contribution

The paper introduces FlipAttack, a novel, stealthy attack method that exploits LLMs' left-to-right understanding to jailbreak models within one query.

Findings

Achieves ~98% success rate on GPT-4o.

Achieves ~98% bypass rate against 5 guardrail models.

Effective with only 1 query.

Abstract

This paper proposes a simple yet effective jailbreak attack named FlipAttack against black-box LLMs. First, from the autoregressive nature, we reveal that LLMs tend to understand the text from left to right and find that they struggle to comprehend the text when noise is added to the left side. Motivated by these insights, we propose to disguise the harmful prompt by constructing left-side noise merely based on the prompt itself, then generalize this idea to 4 flipping modes. Second, we verify the strong ability of LLMs to perform the text-flipping task, and then develop 4 variants to guide LLMs to denoise, understand, and execute harmful behaviors accurately. These designs keep FlipAttack universal, stealthy, and simple, allowing it to jailbreak black-box LLMs within only 1 query. Experiments on 8 LLMs demonstrate the superiority of FlipAttack. Remarkably, it achieves $\sim$98\% attack success rate on GPT-4o, and $\sim$98\% bypass rate against 5 guardrail models on average. The codes are available at GitHub\footnote{https://github.com/yueliu1999/FlipAttack}.