Na'vi or Knave: Jailbreaking Language Models via Metaphorical Avatars

TL;DR

This paper introduces AVATAR, a novel metaphor-based attack framework that exploits LLMs' imaginative abilities to bypass safety measures, revealing a significant security vulnerability and achieving high success rates across multiple models.

Contribution

The study presents AVATAR, the first framework leveraging metaphorical avatars to effectively jailbreak LLMs, exposing their vulnerability to adversarial metaphors and highlighting the need for improved defenses.

Findings

AVATAR achieves state-of-the-art attack success rates.

It demonstrates the transferability of metaphor-based jailbreaks.

The study reveals inherent vulnerabilities in LLMs' imaginative capabilities.

Abstract

Metaphor serves as an implicit approach to convey information, while enabling the generalized comprehension of complex subjects. However, metaphor can potentially be exploited to bypass the safety alignment mechanisms of Large Language Models (LLMs), leading to the theft of harmful knowledge. In our study, we introduce a novel attack framework that exploits the imaginative capacity of LLMs to achieve jailbreaking, the J\underline{\textbf{A}}ilbreak \underline{\textbf{V}}ia \underline{\textbf{A}}dversarial Me\underline{\textbf{TA}} -pho\underline{\textbf{R}} (\textit{AVATAR}). Specifically, to elicit the harmful response, AVATAR extracts harmful entities from a given harmful target and maps them to innocuous adversarial entities based on LLM's imagination. Then, according to these metaphors, the harmful target is nested within human-like interaction for jailbreaking adaptively. Experimental results demonstrate that AVATAR can effectively and transferablly jailbreak LLMs and achieve a state-of-the-art attack success rate across multiple advanced LLMs. Our study exposes a security risk in LLMs from their endogenous imaginative capabilities. Furthermore, the analytical study reveals the vulnerability of LLM to adversarial metaphors and the necessity of developing defense methods against jailbreaking caused by the adversarial metaphor. \textcolor{orange}{ \textbf{Warning: This paper contains potentially harmful content from LLMs.}}