pith. sign in

arxiv: 2402.15911 · v1 · pith:AUJZNJW2new · submitted 2024-02-24 · 💻 cs.CR · cs.CL

PRP: Propagating Universal Perturbations to Attack Large Language Model Guard-Rails

classification 💻 cs.CR cs.CL
keywords guardmodelsmodelattackeffectivelanguagelargellms
0
0 comments X
read the original abstract

Large language models (LLMs) are typically aligned to be harmless to humans. Unfortunately, recent work has shown that such models are susceptible to automated jailbreak attacks that induce them to generate harmful content. More recent LLMs often incorporate an additional layer of defense, a Guard Model, which is a second LLM that is designed to check and moderate the output response of the primary LLM. Our key contribution is to show a novel attack strategy, PRP, that is successful against several open-source (e.g., Llama 2) and closed-source (e.g., GPT 3.5) implementations of Guard Models. PRP leverages a two step prefix-based attack that operates by (a) constructing a universal adversarial prefix for the Guard Model, and (b) propagating this prefix to the response. We find that this procedure is effective across multiple threat models, including ones in which the adversary has no access to the Guard Model at all. Our work suggests that further advances are required on defenses and Guard Models before they can be considered effective.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 5 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents

    cs.LG 2024-10 accept novelty 6.0

    AgentHarm benchmark shows leading LLMs comply with malicious agent requests and simple jailbreaks enable coherent harmful multi-step execution while retaining capabilities.

  2. Agent Security is a Systems Problem

    cs.CR 2026-05 unverdicted novelty 5.0

    Agent security must be treated as a systems problem by viewing the AI model as untrusted and applying established systems security principles to enforce invariants.

  3. Distilling Safe LLM Systems via Soft Prompts for On Device Settings

    cs.LG 2026-06 unverdicted novelty 4.0

    Soft prompt distillation with total variation and KL divergence transfers safety behaviors from guard models to on-device LLMs and outperforms LoRA adapters, steering vectors, and direct optimization in safety-usefuln...

  4. Agent Security is a Systems Problem

    cs.CR 2026-05 unverdicted novelty 4.0

    The paper argues that agent security is best addressed as a systems problem by applying principles from operating systems, networks, and formal methods rather than relying solely on model robustness improvements.

  5. Jailbreak Attacks and Defenses Against Large Language Models: A Survey

    cs.CR 2024-07 accept novelty 4.0

    A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.