AdvPrompter: Fast Adaptive Adversarial Prompting for LLMs

Thank you for reviewing our paper and giving constructive feedback.

Response to W1 (Lack of comparison with BEAST): Thanks for pointing out the missing relevant comparison. See the table below (results on AdvBench test set).

Since BEAST uses the same dataset (AdvBench) for evaluation, we took the highest reported ASR presented in the original paper. With AdvPrompter, generating 10 (or even many more suffixes) is not expensive, therefore the main number for AdvPrompter is ASR@10. As you can see from the table, AdvPrompter shows competitive performance with BEAST. While AdvPrompter performs worse on some models, note the large improvement on the most difficult model Llama-2-7B.

Response to W2 (Unclear computational efficiency): Thank you for pointing this out. We believe that there might be a slight misunderstanding here: AdvPrompter, once trained, generates suffixes simply by auto-regressive generation within seconds; there is no optimization involved, therefore generating orders of magnitude faster than BEAST. Of course, during training the computational cost is quite high and we have been very transparent about this throughout the paper (see e.g. sections 4.1 and B.5). The biggest computational burden of training the AdvPrompter is in the repeatedly used AdvPrompterOpt step, which by itself takes on average 2.7 minutes per prompt for <8GB LLMs on a single A100 GPU. This is very similar to the numbers reported in BEAST.

Response to W3 (Discussion of Attack Readability): One possible way for improving qualitative analysis is to do a human-study on this matter, but we believe that this is unnecessary because:

• We include a variety of non-cherry-picked adversarial prompts in the paper (see Appendix E).
• We report the perplexity (for all white-box experiments) which is tightly correlated with human-readability. The perplexity is consistently low in all experiments we tried.
• Human-readability in our method is achieved by construction (not as a side-product) as we describe in section 3.3.

We believe that this sufficiently demonstrates our claim and is in accordance with other related work (e.g. AutoDAN, PAIR, etc.). Additionally, the replicable implementation (which will be open sourced with the paper) dumps all prompts and users can easily inspect and verify this claim.

Thank you for reviewing our paper and giving constructive feedback.

Response to W1: Thank you for pointing this out, we will clarify these conditions in the revision.

Response to W2: Indeed, in table 3, PAIR, AutoDAN and AdvPrompter all generate human-readable suffixes, only GCG produces high-perplexity suffixes. Note that in this setting we consider AutoDAN-individual and not AutoDAN-universal. We observe that out of the former three methods, AdvPrompter achieves the highest ASR on Mistral-7b and Llama-3.1-8b (the most challenging out of the three models), and only performs slightly worse than PAIR on Vicuna-7b. This is achieved with a significantly lower inference time than PAIR and AutoDAN-individual, which run optimization directly on the test-set instances.

Response to W3: You are correct that we can only use white-box models with this method. However, we still think it is important to highlight that we do not need to take gradients through the model, which significantly reduces the memory footprint. We will also clarify this in the revision.

Response to W4: Thank you for this suggestion, please see the table below. It reports the results on the HarmBench test set across whitebox and blackbox models. The numbers for TAP, TAP-T and PAP-top5 are taken from the HarmBench paper, according to which TAP shows SOTA results on various GPT models. We observe that AdvPrompter performs competitively with even the best blackbox attack methods against GPT models on the HarmBench dataset.

Against Vicuna-7b and Mistral-7b, we evaluate AdvPrompter in the whitebox attack setting. Against the GPT models, we evaluate AdvPrompter in the blackbox transfer-attack setting. As the whitebox TargetLLM for training the AdvPrompter we use Llama3.1-8b in the case of GPT-3.5-Turbo, and Vicuna-7b in the case of GPT-4-0613. Additionally, in our response to reviewer qn1H, we report the results of the recently published method BEAST. Table 3 in the paper additionally reports results for PAIR.

Response to Q1: The method does not require gradients, but still requires the output token probabilities that are not always available for black-box LLMs, as described in line 133-136.

Response to Q2: Training time and compute requirements are already discussed in Appendix C.1, Table 3 and in Section 4. Using the hyperparameters specified in Appendix C, the AdvPrompterTrain process averages 16 hours and 12 minutes for 7B TargetLLMs, and 20 hours and 4 minutes for 13B TargetLLMs, when run on 2 NVIDIA A100 GPUs for training 10 epochs.

Response to Q3: While this would indeed be a nice addition, our goal there was to show an initial validation that AdvPrompter could be useful for improving LLM robustness. This was indeed the case when we tested it across different attack methods (e.g. ours, AutoDAN, GCG). We believe that more comprehensive evaluation of different alignment methods (e.g. DPO, SFT) and comparison with other existing defense mechanisms is beyond the scope of this paper.

Thank you for reviewing our paper and giving constructive feedback.

Response to W1: We highly disagree with the criticism brought up here. We already address in the paper that the train/test split matters a lot, which is why we also report results on the HarmBench dataset in Table 3 and Table 5 which has minimal semantic overlap between data-splits. We also specifically test the generalizability of the AdvPrompter to different TargetLLMs in section 4.2.

Response to W1.1: The method still requires access to output token probabilities, therefore when attacking commercial blackbox LLMs, it can only be used in a transfer setting. This scenario is explored in Section 4.2 and Fig. 2.

Response to W1.2: This is incorrect, we report results on HarmBench in Table 3 and Table 5.

Response to W1.3: In the results on HarmBench in Table 3 we aim to test exactly this transferability between datasets. HarmBench is specifically designed to have minimal semantic overlap between instances (between test and validation splits), therefore by training on one split (we use validation) and testing on another split we examine the transferability between datasets. And we observe that AdvPrompter preserves high transferability in this setup as well! Note that training on AdvBench and testing on HarmBench would be worse than our setup, because there is a significant semantic overlap between AdvBench and HarmBench.

Response to W1.4: We agree that the discussion can be extended here. During training, we attack with AdvPrompterOpt the Vicuna-13b TargetLLM, exploiting the white-box nature of this model by using the output token probabilities to evaluate candidate tokens (no gradients of TargetLLM are involved). After training the AdvPrompter on the training set, we auto-regressively generate multiple responses of the AdvPrompter on the test set. The instructions and corresponding responses are then tested against the blackbox TargetLLM using an API. We are happy to include this extended discussion in a revised version of the manuscript.

Response to W2: Missing comparisons to newer attacks has been a shared criticism between reviewers, therefore we now additionally report comparisons to recently published methods BEAST, TAP, PAP on a variety of settings. In the results, summarized in the tables in the responses to reviewers qn1H and QcAH, we observe very strong performance of our method even in comparison to SOTA blackbox attacks. Note that Table 3 in the paper also reports the results for PAIR.

Response to W3: Firstly, in table 2, for Mistral-7b and Vicuna-13b, the results are quite similar to previous methods, and the slightly reduced ASR in some settings can be compensated for by the lower perplexity (the trade-off is controlled by a hyperparameter). These two models are also relatively easy to jailbreak, and on the more difficult Llama2-7b we achieve a much larger ASR while having the lowest perplexity. We also observe strong results in terms of ASR and perplexity in comparison to newer blackbox-attacks, see Figure 2 in the paper and the new results in the response to reviewer QcAH.

Secondly, from an attacker perspective, ASR and perplexity are indeed the most relevant metrics. However, from the perspective of the designer of new LLMs, in a quickly shifting landscape of LLM capabilities, it is also important to quickly generate large amounts of safety fine-tuning data to account for edge cases of vulnerabilities. Our method takes a first step in exactly this direction: Scalable safety-fine-tuning data generation while re-using previously invested compute.

Lastly, even though we achieve good ASR across different settings, reaching SOTA ASR is not our main focus, instead we offer a new learning-based approach that has not been explored in this context in previous work. Even if some newer methods exist that can outperform the token-by-token-based optimizer AdvPrompterOpt in terms of ASR, we firmly believe that our general AdvPrompterTrain learning-based paradigm is still highly relevant as it can easily be extended by improving the AdvPrompterOpt with newer mutation-based techniques.

We regret to read that the reviewer is not fully satisfied with our responses in the rebuttal, but we hope to address some of the reviewer’s concerns in the remaining discussion time.

The authors failed to properly address so many of my comments

We sincerely think that we have addressed the mentioned weaknesses, especially by adding in the new experimental comparisons to other attack methods (TAP, PAP, BEAST), as well as clarifying the misunderstandings regarding the HarmBench dataset. Our paper is a sound and valid scientific exploration of the ideas and offers new insights in the space of sharing information between adversarial LLM attacks. Can you please expand more concretely on any specific outstanding concerns you have on our paper?

saying "reaching SOTA ASR is not our main focus" cannot dodge the question raised

We do not believe that we dodged your question here. In your last mentioned weakness you requested the following:

comparison to newer method might be needed, e.g., [1]

Authors might need to offer more convincing discussions why the method is favored although being lower in ASR in certain cases.

Our answer was a three-fold discussion on this topic. First we pointed out the additional comparisons to newer methods (TAP, PAP, BEAST) listed in the responses to reviewers QcAH and qn1H, stressing that the ASR of our method is mostly competitive with other methods, although it is true that it is not always at the very top in terms of ASR. Then we explained why generation speed can be equally important as ASR and perplexity, from the perspective of safety-finetuning. Finally we highlighted that introducing a new learning-based paradigm to adversarial attacks on LLMs is an important contribution in and of itself, even without always achieving SOTA ASR, as the established paradigm extends beyond the results presented in our paper, e.g. offering room for potential improvements upon the inner optimization loop that may strongly increase ASR in future extensions of this work. We believe that our answer thoroughly addresses your comment, if you still disagree could you please clarify what is missing?

Thank you for reviewing our paper and giving constructive feedback.

Response to W1: It is true that one could expect that the adversarial suffix is highly specific to the TargetLLM. However, in practice we observe that attacks are transferable to a surprisingly high degree. One hypothesis is that while the specific architecture and training procedures for various LLMs might differ, the data used for training (and specifically safety fine-tuning) is often very similar, which leads to shared vulnerabilities. Additionally, we believe that there is a distinction to be made between high- and low-perplexity adversarial suffixes. In the former case the suffix heavily exploits out-of-distribution non-human-readable text to achieve the jailbreaking behavior, in the latter the jailbreaking behavior is achieved with higher-level strategies, e.g. by convincing the TargetLLM of the non-harmfulness of the instruction using natural language. Naturally the latter approach appears much more independent of the choice of attacked TargetLLM, and this is potentially why we observe an improved transferability for our attack.

Response to W2: First, we believe that transfer-based jailbreak attacks are not automatically un-practical. For example, note that jailbreak attacks are also useful for automated red-teaming, so transferability is not a necessity for an attack to be useful in practice. Moreover, in principle, human-written jailbreaking prompts transfer very well between models because they depend on high-level strategies that generalize across different LLMs. While we don’t claim that AdvPrompter has achieved human-level performance, we have seen some examples of high-level strategies emerging (e.g. Shakespearian, virtualizing it in a game environment, etc.) so it is reasonable that AdvPromtper transfers well. To quantitatively show the competitiveness of the transfer-attack with direct blackbox attacks, we additionally report a comparison against the blackbox methods TAP and PAP, please see our response to reviewer QcAH. According to the HarmBench paper, TAP shows SOTA performance on black-box attacks against some GPT models (see Table 7 therein). In our results, we observe that AdvPrompter performs very well across settings, even outperforming the blackbox methods on both tested GPT models.

Response to W3: This is true and it is a natural drawback of the learning-based paradigm, which trades training cost for reduced inference time and potentially improved ASR by using shared information between instructions. We believe that this is a reasonable trade-off to be made. Something that we have not highlighted much in the paper but might be relevant here is that our proposed method actually allows for high flexibility in this trade-off, allowing for three possible settings:

1. Train the AdvPrompter as described in the paper and use fast auto-regressive generation at inference (this is our focus in the paper).
2. Completely ignore training and apply AdvPrompterOpt as a pure search-based method, reducing to a beam-search based variant of AutoDAN, similar to the recently proposed BEAST method.
3. Combine both, pre-training on the available data and then running AdvPrompterOpt on top at inference time.

This flexibility allows the user to customize the method to a variety of setups.

Response to Q1: If I understand correctly, what you are describing is the following two-stage approach: First create an offline dataset using the non-trained AdvPrompterOpt (meaning AdvPrompterOpt with a fixed non-trained AdvPrompter), then train the AdvPrompter on the offline dataset. This is indeed a valid option that we have also experimented with in the earlier stages of the project. This works when the attacked TargetLLM is not very safe, i.e. when the non-trained AdvPrompterOpt out-of-the-box generates jailbreaking suffixes. However, when attacking heavily safety-finetuned TargetLLMs (e.g. LLama2) AdvPrompterOpt (and also other attacks) often do not succeed in successfully jailbreaking suffixes on a large subset of the instructions. As a consequence, the resulting offline dataset is not usually sufficient to train a well-performing AdvPrompter. The natural extension of this approach is to iterate between dataset generation and training the AdvPrompter, where the dataset at each iteration gets progressively better as the AdvPrompter proposes better candidates for AdvPrompterOpt. We decided to directly take this one step further by continuously generating data for a replay buffer while updating the AdvPrompter on a running basis.

Of course, in practice one should make use of any available data, which likely involves pre-training the AdvPrompter on an available offline dataset of suffixes to warm-start it. In the spirit of the analogy above, our training method could then be seen as an online algorithm that can be employed to further improve performance after pre-training on the available offline data.