Mitigating Adversarial Attacks in LLMs through Defensive Suffix Generation

Download PDF

Minkyoung Kim, Yunha Kim, Hyeram Seo, Heejung Choi, JiYe Han, Gaeun Kee, Soyoung Ko, HyoJe Jung, Byeolhee Kim, Young-Hak Kim, Sanghyun park, Tae Joon Jun

27 Sept 2024 (modified: 15 Oct 2024)ICLR 2025 Conference Desk Rejected SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: AI Safety, Large Language Models, Defensive Suffix, Adversarial Attacks
TL;DR: A gradient-based defensive suffix algorithm with an improved loss function strengthens LLMs against adversarial attacks while maintaining utility without retraining.
Abstract: Large language models (LLMs) have exhibited outstanding performance in natural language processing tasks. However, these models remain susceptible to adversarial attacks in which slight input perturbations can lead to harmful or misleading outputs. A gradient-based defensive suffix generation algorithm is designed to bolster the robustness of LLMs. By appending carefully optimized defensive suffixes to input prompts, the algorithm mitigates adversarial influences while preserving the models' utility. To enhance adversarial understanding, a novel total loss function ($L_{\text{total}}$) combining defensive loss ($L_{\text{def}}$) and adversarial loss ($L_{\text{adv}}$) generates defensive suffixes more effectively. Experimental evaluations show that applying this method to open-source LLMs such as gemma-7B and mistral-7B results in an average 19\% reduction in attack success rates (ASR) compared to models without defensive suffixes. This approach reduces the perplexity score of the Gemma-7B base model from 4.59 to 2.90 when applying the defensive suffix generated by Llama3.2-1B. This significantly enhances the security of LLMs in critical applications without requiring extensive retraining.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 9704