Jailbreak Distillation: Renewable Safety Benchmarking

TL;DR

Jailbreak Distillation (JBDistill) is a new framework that creates robust, updatable safety benchmarks for large language models by distilling jailbreak attacks, ensuring fair, reproducible, and effective safety evaluation across diverse models.

Contribution

We introduce JBDistill, a novel framework that efficiently constructs safety benchmarks by distilling jailbreak attacks, improving robustness, updateability, and fairness in safety evaluation of LLMs.

Findings

Benchmarks generalize well to 13 diverse models

Outperform existing safety benchmarks in effectiveness

Require minimal human effort for updates

Abstract

Large language models (LLMs) are rapidly deployed in critical applications, raising urgent needs for robust safety benchmarking. We propose Jailbreak Distillation (JBDistill), a novel benchmark construction framework that "distills" jailbreak attacks into high-quality and easily-updatable safety benchmarks. JBDistill utilizes a small set of development models and existing jailbreak attack algorithms to create a candidate prompt pool, then employs prompt selection algorithms to identify an effective subset of prompts as safety benchmarks. JBDistill addresses challenges in existing safety evaluation: the use of consistent evaluation prompts across models ensures fair comparisons and reproducibility. It requires minimal human effort to rerun the JBDistill pipeline and produce updated benchmarks, alleviating concerns on saturation and contamination. Extensive experiments demonstrate our benchmarks generalize robustly to 13 diverse evaluation models held out from benchmark construction, including proprietary, specialized, and newer-generation LLMs, significantly outperforming existing safety benchmarks in effectiveness while maintaining high separability and diversity. Our framework thus provides an effective, sustainable, and adaptable solution for streamlining safety evaluation.