To ensure AI safety, instruction-tuned Large Language Models (LLMs) are specifically trained to ensure alignment, which refers to making models behave in accordance with human intentions. While these models have demonstrated commendable results on various safety benchmarks, the vulnerability of their safety alignment has not been extensively studied. This is particularly troubling given the potential harm that LLMs can inflict. Existing attack methods on LLMs often rely on poisoned training data or the injection of malicious prompts. These approaches compromise the stealthiness and generalizability of the attacks, making them susceptible to detection. Additionally, these models often demand substantial computational resources for implementation, making them less practical for real-world applications. In this work, we study a different attack scenario, called Trojan Activation Attack (TA^2), which injects trojan steering vectors into the activation layers of LLMs. These malicious steering vectors can be triggered at inference time to steer the models toward attacker-desired behaviors by manipulating their activations. Our experiment results on four primary alignment tasks show that TA^2 is highly effective and adds little or no overhead to attack efficiency. Additionally, we discuss potential countermeasures against such activation attacks.

翻译：为确保人工智能安全，经过指令调优的大语言模型（LLMs）会接受专门训练以实现对齐，即让模型行为符合人类意图。尽管这些模型在各种安全基准测试中展现出值得称道的效果，但其安全对齐的脆弱性尚未得到充分研究。考虑到大语言模型可能造成的潜在危害，这一问题尤为令人担忧。现有的大语言模型攻击方法通常依赖于投毒训练数据或注入恶意提示。这些方法会损害攻击的隐蔽性与泛化能力，使其易于被检测。此外，此类模型往往需要大量计算资源才能实施攻击，降低了实际应用的可行性。本研究探讨了一种称为特洛伊激活攻击（TA^2）的新型攻击场景，该方法将特洛伊引导向量注入大语言模型的激活层。这些恶意引导向量可在推理阶段被触发，通过操纵模型激活状态将模型行为导向攻击者预设的目标。我们在四项核心对齐任务上的实验结果表明，TA^2 具有极高攻击效能且几乎不产生额外攻击开销。此外，本文还探讨了针对此类激活攻击的潜在防御策略。