Large Language Models (LLMs) have revolutionized Artificial Intelligence (AI) services due to their exceptional proficiency in understanding and generating human-like text. LLM chatbots, in particular, have seen widespread adoption, transforming human-machine interactions. However, these LLM chatbots are susceptible to "jailbreak" attacks, where malicious users manipulate prompts to elicit inappropriate or sensitive responses, contravening service policies. Despite existing attempts to mitigate such threats, our research reveals a substantial gap in our understanding of these vulnerabilities, largely due to the undisclosed defensive measures implemented by LLM service providers. In this paper, we present Jailbreaker, a comprehensive framework that offers an in-depth understanding of jailbreak attacks and countermeasures. Our work makes a dual contribution. First, we propose an innovative methodology inspired by time-based SQL injection techniques to reverse-engineer the defensive strategies of prominent LLM chatbots, such as ChatGPT, Bard, and Bing Chat. This time-sensitive approach uncovers intricate details about these services' defenses, facilitating a proof-of-concept attack that successfully bypasses their mechanisms. Second, we introduce an automatic generation method for jailbreak prompts. Leveraging a fine-tuned LLM, we validate the potential of automated jailbreak generation across various commercial LLM chatbots. Our method achieves a promising average success rate of 21.58%, significantly outperforming the effectiveness of existing techniques. We have responsibly disclosed our findings to the concerned service providers, underscoring the urgent need for more robust defenses. Jailbreaker thus marks a significant step towards understanding and mitigating jailbreak threats in the realm of LLM chatbots.

翻译：大型语言模型（LLMs）因其在理解和生成人类文本方面的卓越能力，彻底革新了人工智能（AI）服务。尤其是基于LLM的聊天机器人，已在人机交互领域得到广泛采用。然而，这些LLM聊天机器人易遭受"越狱"攻击——恶意用户通过操纵提示词诱导模型生成违反服务政策的不当或敏感回复。尽管已有诸多缓解此类威胁的尝试，但本研究发现，由于LLM服务提供商未公开其防御机制，我们对这些漏洞的理解仍存在显著空白。本文提出Jailbreaker这一综合性框架，旨在深入理解越狱攻击及其防御对策。本研究的贡献体现在两方面：首先，我们受基于时间的SQL注入技术启发，提出创新方法逆向分析ChatGPT、Bard和Bing Chat等主流LLM聊天机器人的防御策略。这种时间敏感型方法揭示了这些服务防御机制的细粒度特征，进而实现概念验证攻击并成功绕过其防护。其次，我们提出越狱提示词的自动生成方法。通过微调LLM，我们验证了跨多个商业LLM聊天机器人自动生成越狱提示的可行性。该方法实现了21.58%的显著平均成功率，大幅超越现有技术效果。我们已负责任地向相关服务提供商披露研究结果，凸显了构建更强大防御机制的紧迫性。Jailbreaker标志着在理解与缓解LLM聊天机器人越狱威胁领域迈出的关键一步。