Jailbreaking Large Language Models in Infinitely Many Ways

TL;DR

This paper introduces the 'Infinitely Many Paraphrases' (IMP) attacks, revealing how advanced language models can be bypassed using paraphrasing and encoding techniques, posing significant safety challenges.

Contribution

It identifies a new class of jailbreaks exploiting model capabilities and proposes initial defensive strategies against such attacks.

Findings

IMP attacks effectively bypass safety measures in state-of-the-art LLMs

Defense strategies in token and embedding space show promise

Highlights need for scalable guardrails as models advance

Abstract

We discuss the ``Infinitely Many Paraphrases'' attacks (IMP), a category of jailbreaks that leverages the increasing capabilities of a model to handle paraphrases and encoded communications to bypass their defensive mechanisms. IMPs' viability pairs and grows with a model's capabilities to handle and bind the semantics of simple mappings between tokens and work extremely well in practice, posing a concrete threat to the users of the most powerful LLMs in commerce. We show how one can bypass the safeguards of the most powerful open- and closed-source LLMs and generate content that explicitly violates their safety policies. One can protect against IMPs by improving the guardrails and making them scale with the LLMs' capabilities. For two categories of attacks that are straightforward to implement, i.e., bijection and encoding, we discuss two defensive strategies, one in token and the other in embedding space. We conclude with some research questions we believe should be prioritised to enhance the defensive mechanisms of LLMs and our understanding of their safety.