Recently, Anil et al. (2024) show that many-shot (up to hundreds of) demonstrations can jailbreak state-of-the-art LLMs by exploiting their long-context capability. Nevertheless, is it possible to use few-shot demonstrations to efficiently jailbreak LLMs within limited context sizes? While the vanilla few-shot jailbreaking may be inefficient, we propose improved techniques such as injecting special system tokens like [/INST] and employing demo-level random search from a collected demo pool. These simple techniques result in surprisingly effective jailbreaking against aligned LLMs (even with advanced defenses). For examples, our method achieves >80% (mostly >95%) ASRs on Llama-2-7B and Llama-3-8B without multiple restarts, even if the models are enhanced by strong defenses such as perplexity detection and/or SmoothLLM, which is challenging for suffix-based jailbreaking. In addition, we conduct comprehensive and elaborate (e.g., making sure to use correct system prompts) evaluations against other aligned LLMs and advanced defenses, where our method consistently achieves nearly 100% ASRs. Our code is available at https://github.com/sail-sg/I-FSJ.
翻译:近期,Anil等人(2024)的研究表明,通过利用大语言模型的长上下文能力,多样本(可达数百个)演示能够对最先进的大语言模型实现越狱。然而,是否可能使用少样本演示在有限上下文长度内高效地实现大语言模型越狱?尽管原始的少样本越狱方法可能效率低下,我们提出了改进技术,例如注入特殊系统标记(如[/INST])以及从收集的演示池中进行演示级随机搜索。这些简单技术在对齐大语言模型(即使具备高级防御机制)上产生了惊人的有效越狱效果。例如,我们的方法在Llama-2-7B和Llama-3-8B模型上实现了>80%(多数情况下>95%)的攻击成功率,且无需多次重启——即使这些模型通过困惑度检测和/或SmoothLLM等强防御机制进行了增强,这对基于后缀的越狱方法而言颇具挑战。此外,我们对其他对齐大语言模型和高级防御机制进行了全面细致的评估(例如确保使用正确的系统提示),我们的方法始终能实现接近100%的攻击成功率。代码已开源:https://github.com/sail-sg/I-FSJ。