Rapid Response: Mitigating LLM Jailbreaks with a Few Examples
Alwin Peng, Julian Michael, Henry Sleight, Ethan Perez, Mrinank Sharma
TL;DR
This paper introduces rapid response techniques to quickly adapt defenses against new jailbreak strategies in large language models, using minimal observed examples and proliferation of similar attacks.
Contribution
We develop RapidResponseBench and evaluate five methods that adapt defenses after observing few jailbreak examples, demonstrating significant reductions in attack success rates.
Findings
Fine-tuning classifiers reduces attack success by over 240x on in-distribution jailbreaks.
One observed example suffices to significantly improve robustness.
Proliferation quality and example count are key to defense effectiveness.
Abstract
As large language models (LLMs) grow more powerful, ensuring their safety against misuse becomes crucial. While researchers have focused on developing robust defenses, no method has yet achieved complete invulnerability to attacks. We propose an alternative approach: instead of seeking perfect adversarial robustness, we develop rapid response techniques to look to block whole classes of jailbreaks after observing only a handful of attacks. To study this setting, we develop RapidResponseBench, a benchmark that measures a defense's robustness against various jailbreak strategies after adapting to a few observed examples. We evaluate five rapid response methods, all of which use jailbreak proliferation, where we automatically generate additional jailbreaks similar to the examples observed. Our strongest method, which fine-tunes an input classifier to block proliferated jailbreaks, reduces…
Peer Reviews
Decision·Submitted to ICLR 2025
1. The paper approaches a very important and unexplored direction of post hoc response strategy to jailbreak attacks. 2. I appreciate the author's attempt at evaluating against out of distribution variants of the attacks. 3. The paper is well written and easy to follow.
1. **Incorrect way of reporting results**: Plotting the results as an average of three very different models can be misleading. The authors should show results for these models separately. 2. **Considered attacks are not adaptive enough**: When evaluating any defense, one needs to account for an adaptive adversary (preferably one that knows the details of the defense in place). Although, the authors attempt to account for minor variations in the attacks, it is not enough. Instead of a fixed mino
1. The paper is clearly written, with comprehensive descriptions of each attack type, defense strategy, and evaluation metric. 2. The new paradigm introduced in this paper, `Jailbreak Rapid Response`, is a significant departure from traditional adversarial robustness approaches. Given the rapid development of LLM research, the concept of responding rapidly to jailbreaks using limited examples is innovative and addresses a critical need in LLM security. 3. The authors promise in Section 7 that
1. The effectiveness of the rapid response methods heavily relies on the quality and quantity of proliferated examples. As seen in Figure 3, different proliferation models and varying proliferation attempts influence the final outcomes. Therefore, further exploration into the quality and quantity of proliferated examples, such as using different proliferation templates, could enhance the results. 2. The paper examines the effectiveness of five existing rapid response methods against six types o
1. The authors introduce a new approach to LLM jailbreak mitigation. Instead of creating robust defenses upfront, it offers a flexible response mechanism that adapts to emerging jailbreak strategies. 2. This paper is well-structured, detailing five different rapid response methods and meticulously evaluating each on in-distribution and out-of-distribution attack success rates.
1. While rapid response methods perform well with observed examples, their efficacy on truly novel attack types remains uncertain, particularly for out-of-distribution attacks that deviate substantially from observed jailbreak patterns. 2. Some rapid response techniques lead to increased refusal rates on benign queries, impacting user experience negatively. This side effect raises questions about balancing defense effectiveness with accessibility for non-malicious users. 3. The success of the
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsDigital and Cyber Forensics
MethodsSparse Evolutionary Training