Large language models (LLMs), such as ChatGPT, have emerged with astonishing capabilities approaching artificial general intelligence. While providing convenience for various societal needs, LLMs have also lowered the cost of generating harmful content. Consequently, LLM developers have deployed semantic-level defenses to recognize and reject prompts that may lead to inappropriate content. Unfortunately, these defenses are not foolproof, and some attackers have crafted "jailbreak" prompts that temporarily hypnotize the LLM into forgetting content defense rules and answering any improper questions. To date, there is no clear explanation of the principles behind these semantic-level attacks and defenses in both industry and academia. This paper investigates the LLM jailbreak problem and proposes an automatic jailbreak method for the first time. We propose the concept of a semantic firewall and provide three technical implementation approaches. Inspired by the attack that penetrates traditional firewalls through reverse tunnels, we introduce a "self-deception" attack that can bypass the semantic firewall by inducing LLM to generate prompts that facilitate jailbreak. We generated a total of 2,520 attack payloads in six languages (English, Russian, French, Spanish, Chinese, and Arabic) across seven virtual scenarios, targeting the three most common types of violations: violence, hate, and pornography. The experiment was conducted on two models, namely the GPT-3.5-Turbo and GPT-4. The success rates on the two models were 86.2% and 67%, while the failure rates were 4.7% and 2.2%, respectively. This highlighted the effectiveness of the proposed attack method. All experimental code and raw data will be released as open-source to inspire future research. We believe that manipulating AI behavior through carefully crafted prompts will become an important research direction in the future.

翻译：大语言模型（LLMs），如ChatGPT，已展现出接近通用人工智能的惊人能力。在为各种社会需求提供便利的同时，LLMs也降低了生成有害内容的成本。因此，LLM开发者部署了语义层级的防御手段，以识别并拒斥可能导向不当内容的提示。遗憾的是，这些防御并非万无一失，部分攻击者已设计出“越狱”提示，能暂时催眠LLM，使其忘却内容防御规则并回答任何不当问题。迄今，业界和学界对这一语义层级攻击与防御背后的原理尚缺乏清晰解释。本文研究LLM越狱问题，并首次提出一种自动化的越狱方法。我们提出语义防火墙的概念，并给出了三种技术实现途径。受通过反向隧道穿透传统防火墙的攻击启发，我们引入了一种“自我欺骗”攻击，通过诱导LLM生成有助于越狱的提示来绕过语义防火墙。我们共在七种虚拟场景中，针对暴力、仇恨和色情三类最常见的违规类型，以六种语言（英语、俄语、法语、西班牙语、中文和阿拉伯语）生成了2,520个攻击载荷。实验基于GPT-3.5-Turbo和GPT-4两种模型进行。在两种模型上的成功率分别为86.2%和67%，失败率分别为4.7%和2.2%。这突显了所提攻击方法的有效性。所有实验代码和原始数据将开源发布，以启发未来研究。我们相信，通过精心构造的提示来操控AI行为将成为未来的重要研究方向。