Large Language Models (LLMs) have surged in popularity in recent months, but they have demonstrated concerning capabilities to generate harmful content when manipulated. While techniques like safety fine-tuning aim to minimize harmful use, recent works have shown that LLMs remain vulnerable to attacks that elicit toxic responses. In this work, we introduce the Proxy-Guided Attack on LLMs (PAL), the first optimization-based attack on LLMs in a black-box query-only setting. In particular, it relies on a surrogate model to guide the optimization and a sophisticated loss designed for real-world LLM APIs. Our attack achieves 84% attack success rate (ASR) on GPT-3.5-Turbo and 48% on Llama-2-7B, compared to 4% for the current state of the art. We also propose GCG++, an improvement to the GCG attack that reaches 94% ASR on white-box Llama-2-7B, and the Random-Search Attack on LLMs (RAL), a strong but simple baseline for query-based attacks. We believe the techniques proposed in this work will enable more comprehensive safety testing of LLMs and, in the long term, the development of better security guardrails. The code can be found at https://github.com/chawins/pal.

翻译：大语言模型（LLMs）近几个月来热度激增，但研究表明其在被操纵时可能生成有害内容。尽管安全微调等技术旨在减少恶意使用，近期工作显示LLMs仍易受到诱导产生有害回应的攻击。本文提出代理引导的LLM攻击方法（PAL），这是首个在黑盒纯查询场景下基于优化策略的LLM攻击方法。该方法依赖代理模型引导优化过程，并针对现实LLM API设计了精妙损失函数。实验表明，PAL在GPT-3.5-Turbo上达到84%的攻击成功率（ASR），在Llama-2-7B上达到48%，而当前最优方法仅为4%。我们还提出GCG++——对GCG攻击的改进版本，在白盒Llama-2-7B上实现94%的ASR，以及随机搜索攻击方法（RAL）——一个简单但有效的基于查询攻击的强基线。我们相信本文提出的技术将促进LLM更全面的安全性测试，长期来看有助于构建更好的安全防护机制。代码已开源至https://github.com/chawins/pal。