Reinforcement Learning from Human Feedback (RLHF) is used to align large language models to produce helpful and harmless responses. Yet, prior work showed these models can be jailbroken by finding adversarial prompts that revert the model to its unaligned behavior. In this paper, we consider a new threat where an attacker poisons the RLHF training data to embed a "jailbreak backdoor" into the model. The backdoor embeds a trigger word into the model that acts like a universal "sudo command": adding the trigger word to any prompt enables harmful responses without the need to search for an adversarial prompt. Universal jailbreak backdoors are much more powerful than previously studied backdoors on language models, and we find they are significantly harder to plant using common backdoor attack techniques. We investigate the design decisions in RLHF that contribute to its purported robustness, and release a benchmark of poisoned models to stimulate future research on universal jailbreak backdoors.

翻译：摘要：基于人类反馈的强化学习（RLHF）被用于对齐大型语言模型，使其生成有用且无害的响应。然而，先前的研究表明，这些模型可通过寻找对抗性提示（adversarial prompts）被越狱，从而恢复其未对齐行为。本文考虑一种新型威胁：攻击者对RLHF训练数据进行投毒，在模型中嵌入“越狱后门”。该后门在模型中植入一个触发词，其作用类似通用“sudo命令”：将触发词添加到任意提示中即可生成有害响应，而无需寻找对抗性提示。通用越狱后门比先前研究的语言模型后门更为强大，且我们发现使用常见后门攻击技术植入此类后门难度显著更高。本文探究了RLHF中促成其所谓鲁棒性的设计决策，并发布了一个被投毒模型的基准数据集，以激励未来对通用越狱后门的进一步研究。