Targeting Alignment: Extracting Safety Classifiers of Aligned LLMs

TL;DR

This paper introduces a method to extract surrogate safety classifiers from aligned LLMs, enabling more efficient jailbreak attacks and revealing vulnerabilities in safety alignment mechanisms.

Contribution

The paper presents a novel technique for extracting surrogate classifiers from LLMs to improve jailbreak attack efficiency and transferability, exposing alignment vulnerabilities.

Findings

Surrogate classifiers achieve over 80% F1 score with only 20% of the model.

Attacks on surrogate classifiers transfer effectively to the LLM.

Using surrogate classifiers reduces attack resource requirements significantly.

Abstract

Alignment in large language models (LLMs) is used to enforce guidelines such as safety. Yet, alignment fails in the face of jailbreak attacks that modify inputs to induce unsafe outputs. In this paper, we introduce and evaluate a new technique for jailbreak attacks. We observe that alignment embeds a safety classifier in the LLM responsible for deciding between refusal and compliance, and seek to extract an approximation of this classifier: a surrogate classifier. To this end, we build candidate classifiers from subsets of the LLM. We first evaluate the degree to which candidate classifiers approximate the LLM's safety classifier in benign and adversarial settings. Then, we attack the candidates and measure how well the resulting adversarial inputs transfer to the LLM. Our evaluation shows that the best candidates achieve accurate agreement (an F1 score above 80%) using as little as 20% of the model architecture. Further, we find that attacks mounted on the surrogate classifiers can be transferred to the LLM with high success. For example, a surrogate using only 50% of the Llama 2 model achieved an attack success rate (ASR) of 70% with half the memory footprint and runtime -- a substantial improvement over attacking the LLM directly, where we only observed a 22% ASR. These results show that extracting surrogate classifiers is an effective and efficient means for modeling (and therein addressing) the vulnerability of aligned models to jailbreaking attacks. The code is available at https://github.com/jcnf0/targeting-alignment.