CCJA: Context-Coherent Jailbreak Attack for Aligned Large Language Models

TL;DR

This paper introduces CCJA, a novel optimization-based method for generating context-coherent jailbreak prompts for large language models, significantly improving attack success rates while maintaining semantic consistency.

Contribution

It presents a new embedding-space optimization approach for jailbreak attacks that balances success rate and semantic coherence, advancing security evaluation of open-source LLMs.

Findings

CCJA outperforms state-of-the-art baselines in attack effectiveness.

Integrating CCJA prompts enhances success rates against commercial LLMs.

Open-source LLM vulnerabilities pose threats to closed-source models.

Abstract

Despite explicit alignment efforts for large language models (LLMs), they can still be exploited to trigger unintended behaviors, a phenomenon known as "jailbreaking." Current jailbreak attack methods mainly focus on discrete prompt manipulations targeting closed-source LLMs, relying on manually crafted prompt templates and persuasion rules. However, as the capabilities of open-source LLMs improve, ensuring their safety becomes increasingly crucial. In such an environment, the accessibility of model parameters and gradient information by potential attackers exacerbates the severity of jailbreak threats. To address this research gap, we propose a novel \underline{C}ontext-\underline{C}oherent \underline{J}ailbreak \underline{A}ttack (CCJA). We define jailbreak attacks as an optimization problem within the embedding space of masked language models. Through combinatorial optimization, we effectively balance the jailbreak attack success rate with semantic coherence. Extensive evaluations show that our method not only maintains semantic consistency but also surpasses state-of-the-art baselines in attack effectiveness. Additionally, by integrating semantically coherent jailbreak prompts generated by our method into widely used black-box methodologies, we observe a notable enhancement in their success rates when targeting closed-source commercial LLMs. This highlights the security threat posed by open-source LLMs to commercial counterparts. We will open-source our code if the paper is accepted.