Large language models (LLMs) have achieved significant advances in recent days. Extensive efforts have been made before the public release of LLMs to align their behaviors with human values. The primary goal of alignment is to ensure their helpfulness, honesty and harmlessness. However, even meticulously aligned LLMs remain vulnerable to malicious manipulations such as jailbreaking, leading to unintended behaviors. The jailbreak is to intentionally develop a malicious prompt that escapes from the LLM security restrictions to produce uncensored detrimental contents. Previous works explore different jailbreak methods for red teaming LLMs, yet they encounter challenges regarding to effectiveness and scalability. In this work, we propose Tastle, a novel black-box jailbreak framework for automated red teaming of LLMs. We designed malicious content concealing and memory reframing with an iterative optimization algorithm to jailbreak LLMs, motivated by the research about the distractibility and over-confidence phenomenon of LLMs. Extensive experiments of jailbreaking both open-source and proprietary LLMs demonstrate the superiority of our framework in terms of effectiveness, scalability and transferability. We also evaluate the effectiveness of existing jailbreak defense methods against our attack and highlight the crucial need to develop more effective and practical defense strategies.

翻译：大型语言模型（LLMs）近期取得了显著进展。在公开发布前，研究者已付出大量努力使其行为与人类价值观对齐，核心目标是确保其有益性、诚实性和无害性。然而，即便经过精细对齐的LLMs仍易受越狱等恶意操控，产生非预期行为。越狱旨在故意构建恶意提示，突破LLM安全限制以生成未经审查的有害内容。现有工作探索了多种针对LLM红队测试的越狱方法，但在有效性和可扩展性方面仍面临挑战。本文提出Tastle——一种新型黑盒越狱框架，用于LLM自动化红队测试。受LLM易分心性与过度自信现象的研究启发，我们设计了恶意内容隐藏与记忆重构策略，结合迭代优化算法实现越狱。对开源及商业LLM的广泛实验表明，本框架在有效性、可扩展性和可迁移性方面具有显著优势。我们还评估了现有越狱防御方法对抗本攻击的效果，凸显了开发更有效实用防御策略的迫切需求。