Leveraging the Context through Multi-Round Interactions for Jailbreaking Attacks

Download PDF

Yixin Cheng, Markos Georgopoulos, Volkan Cevher, Grigorios Chrysos

27 Sept 2024 (modified: 15 Nov 2024)ICLR 2025 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: LLM jailbreak, trustworthy ML, safety AI
TL;DR: Jailbreak LLM through multi-turn dialogues
Abstract: Large Language Models (LLMs) are susceptible to Jailbreaking attacks, which aim to extract harmful information by subtly modifying the attack query. As de- fense mechanisms evolve, directly obtaining harmful information becomes increas- ingly challenging for Jailbreaking attacks. In this work, inspired from Chomsky’s transformational-generative grammar theory and human practices of indirect con- text to elicit harmful information, we focus on a new attack form, called Contextual Interaction Attack. We contend that the prior context—the information preced- ing the attack query—plays a pivotal role in enabling strong Jailbreaking attacks. Specifically, we propose first multi-turn approach that leverages benign preliminary questions to interact with the LLM. Due to the autoregressive nature of LLMs, which use previous conversation rounds as context during generation, we guide the model’s question-responses pair to construct a context that is semantically aligned with the attack query to execute the attack. We conduct experiments on seven different LLMs and demonstrate the efficacy of this attack, which is black-box, and can also transfer across LLMs. We believe this can lead to further developments and understanding of the security in LLMs
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 9374