The paper addresses the problem of bypassing safety mechanisms in LLMs through black-box jailbreak attacks, which are often random and lack interpretability.
This paper introduces xJailbreak, a novel Reinforcement Learning (RL) method to generate jailbreak prompts more effectively and interpretably.
This paper proposes to guide prompt generation by analyzing the embedding space of benign and malicious prompts. This approach aims to steer rewritten prompts towards a benign semantic space while maintaining their original malicious intent.
-----
https://arxiv.org/abs/2501.16727
📌 xJailbreak innovatively uses representation space in Reinforcement Learning for black-box jailbreaks. By optimizing prompts in embedding space, it guides the search towards benign regions, enhancing attack success interpretably.
📌 Intent score is a key contribution. It ensures rewritten prompts maintain original malicious intent. This addresses a critical flaw in existing methods that often alter prompt semantics during rewriting attempts.
📌 This work demonstrates Reinforcement Learning's effectiveness in black-box jailbreaking. xJailbreak’s reward function, combining borderline and intent scores, achieves state-of-the-art performance across various LLMs.
----------
Methods Explored in this Paper 🔧:
→ xJailbreak uses Reinforcement Learning to optimize jailbreak prompts.
→ It models the jailbreak task as a Markov Decision Process. The state is the embedding of the current prompt. The action is selecting a rewriting template from a set of ten.
→ The reward function is a weighted combination of a borderline score and an intent score.
→ The borderline score measures the proximity of the prompt embedding to the benign prompt space. It calculates the distance of the prompt embedding from a borderline separating benign and malicious prompt embeddings.
→ A higher borderline score indicates the prompt is closer to the benign space, encouraging jailbreak success.
→ The intent score ensures the rewritten prompt retains the original malicious intent. It uses an LLM to judge the similarity of intent between the original and rewritten prompts, awarding positive rewards only for high similarity.
→ Proximal Policy Optimization (PPO) algorithm is used to train an RL agent. The agent learns to select rewriting templates that maximize the reward function, effectively jailbreaking LLMs.
-----
Key Insights 💡:
→ Benign and malicious prompts are spatially separated in the embedding space of LLMs.
→ Guiding prompt rewriting towards the benign embedding space increases jailbreak effectiveness in black-box attacks.
→ Incorporating intent preservation into the reward function is crucial for maintaining the attack's purpose while rewriting prompts.
→ Reinforcement Learning can be effectively applied to black-box jailbreaking by using representation guidance and intent scoring in the reward mechanism.
-----
Results 📊:
→ xJailbreak achieves State-Of-The-Art (SOTA) jailbreak performance on Qwen2.5-7B-Instruct, Llama3.1-8B-Instruct, and GPT-4o-0806.
→ On Qwen2.5-7b-Instruct, xJailbreak achieves an Attack Success Rate (ASR) of 80%.
→ On Llama3.1-8b-Instruct, xJailbreak achieves an ASR of 63%.
→ On GPT-4o-mini, xJailbreak achieves an ASR of 78%.
Share this post