Jailbreaking? One Step Is Enough!

TL;DR

This paper introduces REDA, a novel attack method that disguises harmful prompts as defensive responses, enabling effective, cross-model jailbreak attacks in a single step without redesigning for each model.

Contribution

REDA is a new attack mechanism that disguises harmful content as defense, allowing one-step, cross-model jailbreaks without needing to redesign attacks for different models.

Findings

REDA enables successful jailbreaks in one iteration.

It works across multiple models without redesign.

It outperforms existing jailbreak methods.

Abstract

Large language models (LLMs) excel in various tasks but remain vulnerable to jailbreak attacks, where adversaries manipulate prompts to generate harmful outputs. Examining jailbreak prompts helps uncover the shortcomings of LLMs. However, current jailbreak methods and the target model's defenses are engaged in an independent and adversarial process, resulting in the need for frequent attack iterations and redesigning attacks for different models. To address these gaps, we propose a Reverse Embedded Defense Attack (REDA) mechanism that disguises the attack intention as the "defense". intention against harmful content. Specifically, REDA starts from the target response, guiding the model to embed harmful content within its defensive measures, thereby relegating harmful content to a secondary role and making the model believe it is performing a defensive task. The attacking model considers that it is guiding the target model to deal with harmful content, while the target model thinks it is performing a defensive task, creating an illusion of cooperation between the two. Additionally, to enhance the model's confidence and guidance in "defensive" intentions, we adopt in-context learning (ICL) with a small number of attack examples and construct a corresponding dataset of attack examples. Extensive evaluations demonstrate that the REDA method enables cross-model attacks without the need to redesign attack strategies for different models, enables successful jailbreak in one iteration, and outperforms existing methods on both open-source and closed-source models.