Universal Jailbreak Suffixes Are Strong Attention Hijackers

TL;DR

This paper analyzes suffix-based jailbreak attacks on large language models, revealing that universal suffixes hijack attention more effectively and can be enhanced or mitigated with minimal computational overhead.

Contribution

It uncovers the mechanism behind the effectiveness of universal suffixes and demonstrates practical methods to improve or defend against such attacks.

Findings

Universal suffixes are more effective in hijacking attention.

Enhancing universality increases attack success up to 5 times.

Mitigation strategies can halve attack success with minimal utility loss.

Abstract

We study suffix-based jailbreaks$\unicode{x2013}$a powerful family of attacks against large language models (LLMs) that optimize adversarial suffixes to circumvent safety alignment. Focusing on the widely used foundational GCG attack, we observe that suffixes vary in efficacy: some are markedly more universal$\unicode{x2013}$generalizing to many unseen harmful instructions$\unicode{x2013}$than others. We first show that a shallow, critical mechanism drives GCG's effectiveness. This mechanism builds on the information flow from the adversarial suffix to the final chat template tokens before generation. Quantifying the dominance of this mechanism during generation, we find GCG irregularly and aggressively hijacks the contextualization process. Crucially, we tie hijacking to the universality phenomenon, with more universal suffixes being stronger hijackers. Subsequently, we show that these insights have practical implications: GCG's universality can be efficiently enhanced (up to $\times$5 in some cases) at no additional computational cost, and can also be surgically mitigated, at least halving the attack's success with minimal utility loss. We release our code and data at http://github.com/matanbt/interp-jailbreak.