Introduction to how to jailbreak an LLM
A detailed instruction on how to build a bomb, a hateful speech against minorities in the style of Adolf Hitler or an article that explains why Covid was just made up by the government. These examples of threatening, toxic, or fake content can be generated by AI. To eliminate this, some Large Language Model (LLM) providers put in place safety barriers in order to prevent the generation of harmful output.
However, despite these precautions, there exist techniques that can bypass these safeguards, leading to the generation of malicious content. These techniques are commonly known as ‘jailbreaking’. The goal is to exploit a model’s vulnerabilities and break its defense mechanisms. Attackers often use creativity, technical understanding and iterative testing to find vulnerabilities. In this article, I will explore some of the most common jailbreaking attacks.
1. Role plays
One widely-used technique to alter a model’s behavior is role-play. In this scenario, an attacker presents a detailed character description and instructs the AI model to act accordingly. Frequently, these roles may exhibit toxic or sinister characteristics that contradict the model’s guidelines. The Do Anything Now (DAN) model serves as an example in this category, where the model has no restrictions, akin to the EvilBot model that successfully compromised ChatGPT:
2. Different output format
Another method to manipulate an AI model involves requesting a different type of output. Rather than generating text responses, many models can also produce tables or code. Instructing the model to create this kind of content could potentially result in the generation of sexist or racist material, as illustrated in the example below:
3. Persuasion
Various persuasion techniques can also serve as potential attack strategies. Persuasive adversarial prompts (PAP) can exploit AI models using knowledge derived from social science research. Techniques range from fact-based persuasion to biased strategies such as anchoring and threats. For instance, a user might ask for instructions on building a bomb or establishing a fraud scheme under the guise of improving protective measures against such activities:
In addition to the jailbreaking techniques previously discussed, there exist other methods designed to bypass the security measures of an LLM. One such technique involves leaking the model’s instructions – a strategy that significantly amplifies the potential threat of future attacks. Other types of attacks include token smuggling, undertaking translation tasks, and text completions.
It is essential to identify such risks prior to deployment. The potential damage to society and the company can be significant. Therefore, LLMs must be tested against jailbreaking attacks before they are made available to customers. At Validator, we evaluate potential risks of AI services, including jailbreaking, using our specialized tools and expert knowledge.
References
https://github.com/0xk1h0/ChatGPT_DAN
