TurboFuzzLLM: Turbocharging Mutation-based Fuzzing for Effectively Jailbreaking Large Language Models in Practice

TL;DR

TurboFuzzLLM is a mutation-based fuzzing method that efficiently generates jailbreaking prompts for large language models, achieving high success rates and improving model defenses against prompt-based attacks.

Contribution

The paper introduces TurboFuzzLLM, a novel mutation-based fuzzing technique with functional and efficiency improvements for automatic jailbreaking template generation.

Findings

Achieves ≥95% attack success rate on GPT-4 and GPT-4 Turbo.

Demonstrates strong generalizability to unseen harmful questions.

Helps improve defenses against prompt attacks.

Abstract

Jailbreaking large-language models (LLMs) involves testing their robustness against adversarial prompts and evaluating their ability to withstand prompt attacks that could elicit unauthorized or malicious responses. In this paper, we present TurboFuzzLLM, a mutation-based fuzzing technique for efficiently finding a collection of effective jailbreaking templates that, when combined with harmful questions, can lead a target LLM to produce harmful responses through black-box access via user prompts. We describe the limitations of directly applying existing template-based attacking techniques in practice, and present functional and efficiency-focused upgrades we added to mutation-based fuzzing to generate effective jailbreaking templates automatically. TurboFuzzLLM achieves $\geq$ 95\% attack success rates (ASR) on public datasets for leading LLMs (including GPT-4o \& GPT-4 Turbo), shows impressive generalizability to unseen harmful questions, and helps in improving model defenses to prompt attacks. TurboFuzzLLM is available open source at https://github.com/amazon-science/TurboFuzzLLM.