Large Language Models (LLMs) have revolutionized Artificial Intelligence (AI) services due to their exceptional proficiency in understanding and generating human-like text. LLM chatbots, in particular, have seen widespread adoption, transforming human-machine interactions. However, these LLM chatbots are susceptible to "jailbreak" attacks, where malicious users manipulate prompts to elicit inappropriate or sensitive responses, contravening service policies. Despite existing attempts to mitigate such threats, our research reveals a substantial gap in our understanding of these vulnerabilities, largely due to the undisclosed defensive measures implemented by LLM service providers. In this paper, we present Jailbreaker, a comprehensive framework that offers an in-depth understanding of jailbreak attacks and countermeasures. Our work makes a dual contribution. First, we propose an innovative methodology inspired by time-based SQL injection techniques to reverse-engineer the defensive strategies of prominent LLM chatbots, such as ChatGPT, Bard, and Bing Chat. This time-sensitive approach uncovers intricate details about these services' defenses, facilitating a proof-of-concept attack that successfully bypasses their mechanisms. Second, we introduce an automatic generation method for jailbreak prompts. Leveraging a fine-tuned LLM, we validate the potential of automated jailbreak generation across various commercial LLM chatbots. Our method achieves a promising average success rate of 21.58%, significantly outperforming the effectiveness of existing techniques. We have responsibly disclosed our findings to the concerned service providers, underscoring the urgent need for more robust defenses. Jailbreaker thus marks a significant step towards understanding and mitigating jailbreak threats in the realm of LLM chatbots.

翻译：大型语言模型（LLMs）因其在理解与生成类人文本方面的卓越能力，彻底革新了人工智能服务领域。特别是基于LLM的聊天机器人，已广泛普及并改变了人机交互模式。然而，这类聊天机器人易受"越狱"攻击——恶意用户通过操控提示词来诱导其生成违反服务政策的不当或敏感回复。尽管已有缓解此类威胁的尝试，但我们的研究揭示，由于LLM服务提供商未公开其防御措施，我们对此类漏洞的理解仍存在显著空白。本文提出Jailbreaker这一综合框架，用于深入理解越狱攻击与防御对策。本研究具有双重贡献：首先，我们提出一种受时间型SQL注入技术启发的创新方法，对ChatGPT、Bard和Bing Chat等主流LLM聊天机器人的防御策略进行逆向工程。这种时间敏感方法揭示了这些服务防御机制的精密细节，从而验证了一种绕过其防御机制的概念验证攻击。其次，我们引入一种越狱提示词的自动生成方法。通过微调LLM，我们验证了跨多种商业LLM聊天机器人实现自动化越狱生成的可行性。该方法达到了21.58%的平均成功率，显著优于现有技术的效果。我们已负责任地向相关服务提供商披露研究结果，凸显了构建更强防御体系的迫切需求。Jailbreaker因此成为理解和缓解LLM聊天机器人越狱威胁的重要里程碑。