You Can't Eat Your Cake and Have It Too: The Performance Degradation of LLMs with Jailbreak Defense

TL;DR

This paper investigates how jailbreak defenses impact the performance and safety of large language models, revealing that current strategies often compromise utility and that developers tend to prioritize performance over safety.

Contribution

The study introduces USEBench and USEIndex to evaluate safety-performance trade-offs and provides a comprehensive analysis of defense strategies across multiple LLMs.

Findings

Mainstream defenses often fail to balance safety and performance.

Model fine-tuning offers the best overall safety-performance trade-off.

Developers tend to prioritize performance over safety during model iteration.

Abstract

With the rise of generative large language models (LLMs) like LLaMA and ChatGPT, these models have significantly transformed daily life and work by providing advanced insights. However, as jailbreak attacks continue to circumvent built-in safety mechanisms, exploiting carefully crafted scenarios or tokens, the safety risks of LLMs have come into focus. While numerous defense strategies--such as prompt detection, modification, and model fine-tuning--have been proposed to counter these attacks, a critical question arises: do these defenses compromise the utility and usability of LLMs for legitimate users? Existing research predominantly focuses on the effectiveness of defense strategies without thoroughly examining their impact on performance, leaving a gap in understanding the trade-offs between LLM safety and performance. Our research addresses this gap by conducting a comprehensive study on the utility degradation, safety elevation, and exaggerated-safety escalation of LLMs with jailbreak defense strategies. We propose USEBench, a novel benchmark designed to evaluate these aspects, along with USEIndex, a comprehensive metric for assessing overall model performance. Through experiments on seven state-of-the-art LLMs, we found that mainstream jailbreak defenses fail to ensure both safety and performance simultaneously. Although model-finetuning performs the best overall, their effectiveness varies across LLMs. Furthermore, vertical comparisons reveal that developers commonly prioritize performance over safety when iterating or fine-tuning their LLMs.