A novel hack involving Large Language Models (LLMs) has emerged, leveraging adversarial suffixes to trick models into generating perilous responses. This method has garnered considerable attention from reputable media outlets such as the New York Times and Wired, thereby influencing public perception regarding the security and safety of LLMs. In this study, we advocate the utilization of perplexity as one of the means to recognize such potential attacks. The underlying concept behind these hacks revolves around appending an unusually constructed string of text to a harmful query that would otherwise be blocked. This maneuver confuses the protective mechanisms and tricks the model into generating a forbidden response. Such scenarios could result in providing detailed instructions to a malicious user for constructing explosives or orchestrating a bank heist. Our investigation demonstrates the feasibility of employing perplexity, a prevalent natural language processing metric, to detect these adversarial tactics before generating a forbidden response. By evaluating the perplexity of queries with and without such adversarial suffixes using an open-source LLM, we discovered that nearly 90 percent were above a perplexity of 1000. This contrast underscores the efficacy of perplexity for detecting this type of exploit.

翻译：一种涉及大型语言模型的新型黑客攻击手段已经出现，其利用对抗性后缀诱使模型生成危险回应。该方法已引起《纽约时报》和《连线》等权威媒体广泛关注，从而影响公众对大型语言模型安全性的认知。本研究主张将困惑度作为识别此类潜在攻击的手段之一。这些攻击的核心机制在于：在原本会被拦截的有害查询后附加一段异常构造的文本字符串，这种操作会混淆防护机制，诱使模型生成被禁止的回应。此类场景可能导致恶意用户获得制造爆炸物或策划银行劫案的详细指南。我们的研究证明，采用困惑度这一主流自然语言处理指标，可在生成违禁回应前检测到这些对抗性策略。通过使用开源大型语言模型评估带有/不带有对抗性后缀的查询困惑度，我们发现近90%的查询困惑度超过1000。这一对比凸显了困惑度检测此类攻击方法的有效性。