DAG-Jailbreak: Enhancing Black-box Jailbreak Attacks and Defenses through DAG Dependency Analysis

Download PDF

ICLR 2025 Conference Submission10981 Authors

27 Sept 2024 (modified: 22 Jan 2025)Submitted to ICLR 2025EveryoneRevisionsBibTeXCC BY 4.0
Keywords: Jailbreak Attacks and Defenses, LLM Security, DAG Dependency Analysis
TL;DR: We propose DAG-Jailbreak, a novel framework leveraging Directed Acyclic Graph dependency analysis to construct more robust jailbreak attacks and defenses.
Abstract: Black-box jailbreak attacks and defenses, a critical branch of the large language model (LLM) security, are characterized by their minimal requirement for user expertise and high potential for automation. However, current black-box jailbreak approaches often adhere to a uniform global algorithmic framework, leading to suboptimal solutions due to challenges in local optimization. This limits both their effectiveness and scalability. To address these limitations, we propose **DAG-Jailbreak**, a novel framework leveraging Directed Acyclic Graph (DAG) dependency analysis to construct more robust jailbreak attacks and defenses. The core idea behind this framework is to combine optimal sub-components to form a more effective global algorithm. **DAG-Jailbreak** compromises three components: *DAG-Attack*, which creates highly effective attackers based on two global algorithms and is capable of compromising well-aligned LLMs without prior knowledge; *DAG-Defense*, which introduces a novel global framework based on a mixture-of-defenders mechanism, significantly enhancing the scalability and effectiveness of jailbreak defenses by reducing the attack success rate to below 3\% in most cases; and *DAG-Evaluation*, which introduces the concept of jailbreak hallucination and a two-stage evaluation framework to assess the outputs generated by LLMs comprehensively. Extensive experiments validate the superiority and robustness of **DAG-Jailbreak**.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 10981