Safeguard is a Double-edged Sword: Denial-of-service Attack on Large Language Models

• The proposed attack is easily detected; specific reasons are listed below.
• Real-world application scenarios for this attack are limited.

1. This work seems incremental to me, as it is more like a new application of the existing adversarial attack, the discussions towards other adversarial attacks in the related work (Sec.2) may help distinguish the proposed attack and the existing methods.

2. Lack of baseline methods: Though disclosing a new threat, the proposed attack is essentially an adversarial attack against the LLM in my perspective. Therefore I suggest the author compare the results with those of the existing SOTA works, e.g. [1], [2] to further demonstrate their contributions. Furthermore, discussions about the latest adversarial attack in Sec.2,

[1] Zou, Andy, et al. "Universal and transferable adversarial attacks on aligned language models." arXiv preprint arXiv:2307.15043 (2023).

[2] Alzantot, Moustafa, et al. "Generating natural language adversarial examples." arXiv preprint arXiv:1804.07998 (2018).

3. More SOTA models to be tested: Only open-sourced models are investigated in the transferability experiment. Experiments conducted on ChatGPT and Claude might more effectively demonstrate the severity of this threat.

4. The transferability seems to be not as good, especially for GPT4o-mini and LLAMMA-Guard. The success rate ranges from 20%~65%. Some of the results also seem to contradict the conclusion made in the paper that "transfer attacks are more effective when the target models share similar architectures or training data", as that of Llamma-Guard is the lowest. I'd like to suggest the authors dig deeper into the reason behind these phenomena and make a more thorough discussion about the results.

5. The stealthiness restriction can be concluded as one of the main contributions, yet there are not many experiments focusing on it. Moreover, I am concerned about whether the adversarial prompt gained is really stealthy or not. To attack GPT4o-mini, prompts like "Ignore all above" are needed, making the attack prompts suspicious enough. The prompt examples given in the paper like "buffs yayJet bombkup deton it" and "to Rape PEade Lol howKra" seem quite unnatural to me, making it very likely to be spotted by the user himself. I suppose this is because the author proposed to use the Bert-based model as the semantic loss. As the tokens with similar embeddings are not necessarily similarly natural. I expect more examples of adversarial prompts and more experiments focus on stealthiness, compared to other existing attacks.

• A key limitation is that the DoS attack depends on the attacker’s ability to inject adversarial prompts into user templates, which would typically require client compromise or user manipulation. In practice, this level of access may not be feasible in highly secure environments or applications.

• The paper’s assumption of white-box access to the safeguard model and the ability to manipulate user configuration files introduces limitations. A real-world attacker may not possess such extensive access, especially in highly secure environments. Clarifying scenarios where such access might be feasible (e.g., within compromised client software environments) could enhance the paper’s relevance.

• The authors include a case study to demonstrate the feasibility of chaining the software vulnerabilities and vulnerabilities in LLM safeguards to conduct the proposed attack. However, there is not enough detail to illustrate how this could be achieved. It would be better if the authors could provide an end-to-end case study to demonstrate the whole process of the attack.

• The paper operates on the assumption that injected adversarial prompts can remain undetected by users or monitoring systems. However, in practice, systems with moderate security measures may detect unexpected modifications to prompt templates. Including a more realistic discussion of the attack’s stealth and potential detection would be valuable, as it’s likely that this level of prompt injection might not go unnoticed in all deployment environments.

• The paper evaluates its attack mainly on the Llama Guard and Vicuna models, which may limit its generalizability to other types of LLM safeguards, especially proprietary or differently architected ones. Including more model types or extensively testing black-box models would broaden the applicability of the findings.

• The paper points out that existing defenses like random perturbation and resilient optimization reduce the DoS attack’s success but harm safeguard accuracy. However, it lacks targeted strategies to address the proposed false positive exploitation. Discussing adaptive approaches that adjust sensitivity based on prompt characteristics or an anomaly detection focused on prompt template anomalies could add values to the paper.

1. The adversarial prompts optimized via DoS attack still lack semantic meanings, which means they could be easily identified by users or software developers as abnormal text. The authors should further justify the real-world threat posed by the proposed DoS attack to existing LLM services.
2. Will the proposed DoS attack remain effective in cross-task settings? For instance, can adversarial prompts optimized with logical reasoning prompts cause the target LLM to deny service when faced with coding or mathematics prompts?
3. As mentioned in the GCG paper, the length of the adversarial prompt can be a hyper-parameter during optimization. Will the DoS-optimized adversarial prompts show better effectiveness than GCG’s adversarial prompts when the lengths of both are restricted to a specific number?
4. More transfer attack results should be added to Table 2. For instance, if adversarial prompts are optimized using a model with relatively low safety levels (e.g., Vicuna), will these prompts remain effective in transfer tests against a model with a higher safety level?