VERA: Variational Inference Framework for Jailbreaking Large Language Models

TL;DR

VERA introduces a probabilistic inference framework that trains a small attacker model to generate diverse jailbreak prompts for large language models, improving efficiency and coverage over traditional methods.

Contribution

It presents a novel variational inference approach to black-box jailbreak prompt generation, enabling efficient, diverse attacks without re-optimization for each prompt.

Findings

VERA outperforms existing methods in jailbreak success rates.

The attacker model generalizes across different target LLMs.

VERA reduces the need for manual prompt curation.

Abstract

The rise of API-only access to state-of-the-art LLMs highlights the need for effective black-box jailbreak methods to identify model vulnerabilities in real-world settings. Without a principled objective for gradient-based optimization, most existing approaches rely on genetic algorithms, which are limited by their initialization and dependence on manually curated prompt pools. Furthermore, these methods require individual optimization for each prompt, failing to provide a comprehensive characterization of model vulnerabilities. To address this gap, we introduce VERA: Variational infErence fRamework for jAilbreaking. VERA casts black-box jailbreak prompting as a variational inference problem, training a small attacker LLM to approximate the target LLM's posterior over adversarial prompts. Once trained, the attacker can generate diverse, fluent jailbreak prompts for a target query without re-optimization. Experimental results show that VERA achieves strong performance across a range of target LLMs, highlighting the value of probabilistic inference for adversarial prompt generation.