Exploiting the Index Gradients for Optimization-Based Jailbreaking on Large Language Models

TL;DR

This paper introduces MAGIC, a novel method that exploits index gradients to significantly accelerate optimization-based jailbreaking of large language models without sacrificing attack success rates.

Contribution

MAGIC addresses the bottleneck in GCG by leveraging suffix token gradients, enabling faster adversarial attacks on LLMs with comparable or higher success rates.

Findings

MAGIC achieves up to 1.5x speedup over GCG.

Maintains high attack success rates, e.g., 74% on Llama-2.

Effective transfer attacks on GPT-3.5.

Abstract

Despite the advancements in training Large Language Models (LLMs) with alignment techniques to enhance the safety of generated content, these models remain susceptible to jailbreak, an adversarial attack method that exposes security vulnerabilities in LLMs. Notably, the Greedy Coordinate Gradient (GCG) method has demonstrated the ability to automatically generate adversarial suffixes that jailbreak state-of-the-art LLMs. However, the optimization process involved in GCG is highly time-consuming, rendering the jailbreaking pipeline inefficient. In this paper, we investigate the process of GCG and identify an issue of Indirect Effect, the key bottleneck of the GCG optimization. To this end, we propose the Model Attack Gradient Index GCG (MAGIC), that addresses the Indirect Effect by exploiting the gradient information of the suffix tokens, thereby accelerating the procedure by having less computation and fewer iterations. Our experiments on AdvBench show that MAGIC achieves up to a 1.5x speedup, while maintaining Attack Success Rates (ASR) on par or even higher than other baselines. Our MAGIC achieved an ASR of 74% on the Llama-2 and an ASR of 54% when conducting transfer attacks on GPT-3.5. Code is available at https://github.com/jiah-li/magic.