PANDAS: Improving Many-shot Jailbreaking via Positive Affirmation, Negative Demonstration, and Adaptive Sampling

TL;DR

This paper introduces PANDAS, a hybrid method that enhances many-shot jailbreaking of large language models by using positive affirmations, negative demonstrations, and adaptive sampling to better exploit long-context vulnerabilities.

Contribution

The paper proposes PANDAS, a novel approach combining multiple techniques to improve the effectiveness of jailbreaking LLMs in long-context scenarios, and introduces the ManyHarm dataset for evaluation.

Findings

PANDAS significantly outperforms baseline methods in experiments.

Attention analysis reveals how long-context vulnerabilities are exploited.

PANDAS further improves upon existing jailbreaking techniques.

Abstract

Many-shot jailbreaking circumvents the safety alignment of LLMs by exploiting their ability to process long input sequences. To achieve this, the malicious target prompt is prefixed with hundreds of fabricated conversational exchanges between the user and the model. These exchanges are randomly sampled from a pool of unsafe question-answer pairs, making it appear as though the model has already complied with harmful instructions. In this paper, we present PANDAS: a hybrid technique that improves many-shot jailbreaking by modifying these fabricated dialogues with Positive Affirmations, Negative Demonstrations, and an optimized Adaptive Sampling method tailored to the target prompt's topic. We also introduce ManyHarm, a dataset of harmful question-answer pairs, and demonstrate through extensive experiments that PANDAS significantly outperforms baseline methods in long-context scenarios. Through attention analysis, we provide insights into how long-context vulnerabilities are exploited and show how PANDAS further improves upon many-shot jailbreaking.