{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2023:HVCG4CD3HCUZZSWBBEQJSTTNJI","short_pith_number":"pith:HVCG4CD3","schema_version":"1.0","canonical_sha256":"3d446e087b38a99ccac10920994e6d4a1c6dbdc4f1862e05219bdd4860492e3b","source":{"kind":"arxiv","id":"2308.14132","version":3},"attestation_state":"computed","paper":{"title":"Detecting Language Model Attacks with Perplexity","license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","headline":"Adversarial jailbreak suffixes produce high perplexity under GPT-2, allowing a classifier on perplexity and length to catch most attacks.","cross_cats":["cs.AI","cs.CR","cs.LG"],"primary_cat":"cs.CL","authors_text":"Gabriel Alon, Michael Kamfonas","submitted_at":"2023-08-27T15:20:06Z","abstract_excerpt":"A novel hack involving Large Language Models (LLMs) has emerged, exploiting adversarial suffixes to deceive models into generating perilous responses. Such jailbreaks can trick LLMs into providing intricate instructions to a malicious user for creating explosives, orchestrating a bank heist, or facilitating the creation of offensive content. By evaluating the perplexity of queries with adversarial suffixes using an open-source LLM (GPT-2), we found that they have exceedingly high perplexity values. As we explored a broad range of regular (non-adversarial) prompt varieties, we concluded that fa"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2308.14132","kind":"arxiv","version":3},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","primary_cat":"cs.CL","submitted_at":"2023-08-27T15:20:06Z","cross_cats_sorted":["cs.AI","cs.CR","cs.LG"],"title_canon_sha256":"f4426ad31296763e835ab54ae2f81682dc2297e18b9ace3e38a91745fb9b4ca0","abstract_canon_sha256":"ec4a9746d99896900950ab9f3086052ada3108e7580cbd70a19fafc096b18af1"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:52.385359Z","signature_b64":"fwSVI2MGpHL3cr2mpO6pAtseVWKtLa6/YtXJwfuwqKKuSwG4Qqs9/OVA4m0bg40GZjuvpXCHRLLdsWrpDyzNAw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"3d446e087b38a99ccac10920994e6d4a1c6dbdc4f1862e05219bdd4860492e3b","last_reissued_at":"2026-05-17T23:38:52.384790Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:52.384790Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Detecting Language Model Attacks with Perplexity","license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","headline":"Adversarial jailbreak suffixes produce high perplexity under GPT-2, allowing a classifier on perplexity and length to catch most attacks.","cross_cats":["cs.AI","cs.CR","cs.LG"],"primary_cat":"cs.CL","authors_text":"Gabriel Alon, Michael Kamfonas","submitted_at":"2023-08-27T15:20:06Z","abstract_excerpt":"A novel hack involving Large Language Models (LLMs) has emerged, exploiting adversarial suffixes to deceive models into generating perilous responses. Such jailbreaks can trick LLMs into providing intricate instructions to a malicious user for creating explosives, orchestrating a bank heist, or facilitating the creation of offensive content. By evaluating the perplexity of queries with adversarial suffixes using an open-source LLM (GPT-2), we found that they have exceedingly high perplexity values. As we explored a broad range of regular (non-adversarial) prompt varieties, we concluded that fa"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"By evaluating the perplexity of queries with adversarial suffixes using an open-source LLM (GPT-2), we found that they have exceedingly high perplexity values. [...] A Light-GBM trained on perplexity and token length resolved the false positives and correctly detected most adversarial attacks in the test set.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the distribution of regular (non-adversarial) prompts used to measure false positives is representative of real-world usage and that future attackers will not adapt suffixes to also produce low perplexity under GPT-2.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Jailbreak prompts with adversarial suffixes have high GPT-2 perplexity, and a LightGBM model on perplexity and length detects most attacks.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Adversarial jailbreak suffixes produce high perplexity under GPT-2, allowing a classifier on perplexity and length to catch most attacks.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e5a6f0fd51229d0f1a136796718c5ecc2ee6b912899a58e60e629baa18324bd4"},"source":{"id":"2308.14132","kind":"arxiv","version":3},"verdict":{"id":"e55be181-2a61-4cb2-8954-7bca598aa37f","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T13:55:22.051094Z","strongest_claim":"By evaluating the perplexity of queries with adversarial suffixes using an open-source LLM (GPT-2), we found that they have exceedingly high perplexity values. [...] A Light-GBM trained on perplexity and token length resolved the false positives and correctly detected most adversarial attacks in the test set.","one_line_summary":"Jailbreak prompts with adversarial suffixes have high GPT-2 perplexity, and a LightGBM model on perplexity and length detects most attacks.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the distribution of regular (non-adversarial) prompts used to measure false positives is representative of real-world usage and that future attackers will not adapt suffixes to also produce low perplexity under GPT-2.","pith_extraction_headline":"Adversarial jailbreak suffixes produce high perplexity under GPT-2, allowing a classifier on perplexity and length to catch most attacks."},"references":{"count":83,"sample":[{"doi":"","year":2022,"title":"Training a helpful and harmless assistant with reinforcement learning from human feedback, 2022","work_id":"6b9cf002-ab59-4c61-ae20-2d2f7b0eecaf","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2019,"title":"Boolq: Exploring the surprising difficulty of natural yes/no questions","work_id":"95712603-7f1e-44dd-825a-da30fd36d3aa","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2019,"title":"Certified adversarial robustness via randomized smoothing","work_id":"d07eec87-9b6a-4a0e-b8f8-aee82051d662","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2012,"title":"Monitor alarm fatigue: an integrative review","work_id":"95443dd5-754f-4923-a4fa-453decbf764d","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Improving alignment of dialogue agents via targeted human judgments, 2022","work_id":"279da37f-eca7-468c-9da9-7d42921a9b93","ref_index":6,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":83,"snapshot_sha256":"09a310974125e1a6db0726b75ef3260df968cc1eb1c26603f3445e630ce39dbf","internal_anchors":4},"formal_canon":{"evidence_count":2,"snapshot_sha256":"c87afabb31051e2af7cd34f5765435442bab6e4a22119dc4d57870ea2efe33f8"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2308.14132","created_at":"2026-05-17T23:38:52.384863+00:00"},{"alias_kind":"arxiv_version","alias_value":"2308.14132v3","created_at":"2026-05-17T23:38:52.384863+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2308.14132","created_at":"2026-05-17T23:38:52.384863+00:00"},{"alias_kind":"pith_short_12","alias_value":"HVCG4CD3HCUZ","created_at":"2026-05-18T12:33:33.725879+00:00"},{"alias_kind":"pith_short_16","alias_value":"HVCG4CD3HCUZZSWB","created_at":"2026-05-18T12:33:33.725879+00:00"},{"alias_kind":"pith_short_8","alias_value":"HVCG4CD3","created_at":"2026-05-18T12:33:33.725879+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":36,"internal_anchor_count":36,"sample":[{"citing_arxiv_id":"2506.04390","citing_title":"Through the Stealth Lens: Attention-Aware Defenses Against Poisoning in RAG","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2402.06922","citing_title":"Whispers in the Machine: Confidentiality in Agentic Systems","ref_index":34,"is_internal_anchor":true},{"citing_arxiv_id":"2405.13068","citing_title":"Uncovering Logit Suppression Vulnerabilities in LLM Safety Alignment","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2408.12935","citing_title":"AI Safety Landscape for Large Language Models: Taxonomy, State-of-the-art, and Future Directions","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2505.14226","citing_title":"Phonetic Perturbations Reveal Tokenizer-Rooted Safety Gaps in LLMs","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2605.21948","citing_title":"SCI-Defense: Defending Manipulation Attacks from Generative Engine Optimization","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2509.25448","citing_title":"Fingerprinting LLMs via Prompt Injection","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2510.13727","citing_title":"From Refusal to Recovery: A Control-Theoretic Approach to Generative AI Guardrails","ref_index":26,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19966","citing_title":"Detecting Fluent Optimization-Based Adversarial Prompts via Sequential Entropy Changes","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19485","citing_title":"Attention-Guided Reward for Reinforcement Learning-based Jailbreak against Large Reasoning Models","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2605.17288","citing_title":"When Efficiency Backfires: Cascading LLMs Trigger Cascade Failure under Adversarial Attack","ref_index":81,"is_internal_anchor":true},{"citing_arxiv_id":"2506.01770","citing_title":"ReGA: Model-Based Safeguard for LLMs via Representation-Guided Abstraction","ref_index":51,"is_internal_anchor":true},{"citing_arxiv_id":"2508.04204","citing_title":"ReasoningGuard: Safeguarding Large Reasoning Models with Inference-time Safety Aha Moments","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2510.20129","citing_title":"SAID: Safety-Aware Intent Defense via Prefix Probing for Large Language Models","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2510.23883","citing_title":"Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges","ref_index":197,"is_internal_anchor":true},{"citing_arxiv_id":"2504.19793","citing_title":"Prompt Injection Attack to Tool Selection in LLM Agents","ref_index":74,"is_internal_anchor":true},{"citing_arxiv_id":"2602.02280","citing_title":"RACC: Representation-Aware Coverage Criteria for LLM Safety Testing","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2404.01318","citing_title":"JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2407.04295","citing_title":"Jailbreak Attacks and Defenses Against Large Language Models: A Survey","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2310.03684","citing_title":"SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks","ref_index":38,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11996","citing_title":"BadSKP: Backdoor Attacks on Knowledge Graph-Enhanced LLMs with Soft Prompts","ref_index":50,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03095","citing_title":"Revisiting JBShield: Breaking and Rebuilding Representation-Level Jailbreak Defenses","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2310.08419","citing_title":"Jailbreaking Black Box Large Language Models in Twenty Queries","ref_index":38,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10611","citing_title":"Re-Triggering Safeguards within LLMs for Jailbreak Detection","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2605.09278","citing_title":"EquiMem: Calibrating Shared Memory in Multi-Agent Debate via Game-Theoretic Equilibrium","ref_index":1,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":2,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI","json":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI.json","graph_json":"https://pith.science/api/pith-number/HVCG4CD3HCUZZSWBBEQJSTTNJI/graph.json","events_json":"https://pith.science/api/pith-number/HVCG4CD3HCUZZSWBBEQJSTTNJI/events.json","paper":"https://pith.science/paper/HVCG4CD3"},"agent_actions":{"view_html":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI","download_json":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI.json","view_paper":"https://pith.science/paper/HVCG4CD3","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2308.14132&json=true","fetch_graph":"https://pith.science/api/pith-number/HVCG4CD3HCUZZSWBBEQJSTTNJI/graph.json","fetch_events":"https://pith.science/api/pith-number/HVCG4CD3HCUZZSWBBEQJSTTNJI/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI/action/timestamp_anchor","attest_storage":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI/action/storage_attestation","attest_author":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI/action/author_attestation","sign_citation":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI/action/citation_signature","submit_replication":"https://pith.science/pith/HVCG4CD3HCUZZSWBBEQJSTTNJI/action/replication_record"}},"created_at":"2026-05-17T23:38:52.384863+00:00","updated_at":"2026-05-17T23:38:52.384863+00:00"}