AutoDAN: Interpretable Gradient-Based Adversarial Attacks on Large Language Models

We thank the reviewer for the encouraging feedback (and the wrongful conviction metaphor)!

1. Limited dataset: None that I can see as such. Perhaps the use of a single dataset, but it covers a variety of behaviours.

In practice, we find the evaluation bottleneck often lies more in determining whether an attack is successful based on the prompt and the model response. Such evaluation can be inherently ambiguous (Appendix C.1). For example, should it be considered a successful attack if the model provides harmful information in a fictitious scenario like GTA, which however could be directly applicable in the real world? We attempt to manually determine jailbreak success in this paper, while future dataset initiatives might provide automatic test suites accompanying the harmful promtps for robust benchmarking.

2. Typo: I believe there’s a spurious minus sign in front of the gradient in Algorithm 1.

This is indeed a typo. We will remove it in the next version. Thank you for pointing it out!

1. Computational complexity

The computational complexity analysis in Appendix D.3 and Figure 13 show that our method requires a similar amount of time to reach peak attack success rates as GCG. We will make this more explicit in the next version.

Although our algorithm includes a double loop, the inner loop only requires up to four iterations. This is because the coherent candidate tokens often only comprise a small subset of the vocabulary, and we only need to explore this subset.

Also, techniques like the tree attention in Medusa [1] could potentially accelerate our algorithm: the sequences in our batched forward pass differ only at the last token, so we can concatenate these differing tokens into one sequence for the forward pass and decode using an attention mask.

[1] Cai, Tianle, et al. "Medusa: Simple llm inference acceleration framework with multiple decoding heads." arXiv 2401.10774.

2. Novelty

We agree that adding some "score" to the vocabulary for auto-regressive generation is a common idea in controllable text generation (and fields like watermarking). However, this general idea only works on some tasks, where the added "score" has to be "decomposable" so as to be dense and informative enough to guide the decoding process (similar to reward shaping in RL). Our contribution here is to show that the jailbreak objective, which is the likelihood of the target LLM outputting refusal, is "decomposable" in its log form and can guide the decoding to generate strategic attack prompts. Another key contribution we make here is using gradient-based double loops to evaluate the scores effectively.

3. Hyperparameter sensitivity

In our experiments, we used a fixed weight of 100 for all models except for Llama2 (which reqires a larger weight of 150). In our hyperparameter analysis in Appendix D.4, we show that the choice of the weight has a large "sweet spot" that generates strategic attack prompts. To apply our method for to open-source LLMs, we suggest doing a few validation runs to find the optimal range for the weight.

4. More baseline

We only compared performance with methods that do not require task-specific domain knowledge, as these are the only methods applicable to two new tasks: generating false refusal prompts and prompt leaking. We plan to incorporate our work into a public benchmarking project to compare with more methods under consistent evaluation conditions. Thank you for pointing this out!

1. More baselines: AutoDAN is an optimization based on GCG, so the comparison experiment with GCG is reasonable. However, this method still needs to be compared with other Jailbreaking attack algorithms to prove its superiority, like PAIR: Jailbreaking Black Box Large Language Models in Twenty Queries or MasterKey: Automated Jailbreak Across Multiple Large Language Model Chatbots.

Thank you for pointing this out! There is significant variation in evaluation methods across papers, so direct numerical comparisons may not be fair. We are working on submitting our code to a public benchmarking project to enable comparisons under a standardized evaluation method.

In our manuscript, we only compared performance with methods that do not require prior knowledge of the task. These methods are applicable to additional tasks we designed: generating false refusal prompts and prompt leaking.

Compared to PAIR based on reported results, our work achieves a similar (Vicuna 7B) or higher (llama2 7B) attack success rates on open-source LLMs. However, when using Vicuna 7B as the proxy LLM to transfer-attack proprietary LLMs like GPT-4, our attack success rate is lower than PAIR. Empirically, this discrepancy arises because the prompts our method generated with Vicuna 7B exhibit strategies like role-playing, low-resource languages, and detailed instructions, while proprietary models like GPT-4 are primarily vulnerable to role-playing style attacks that PAIR exploits. In future work, we aim to explore what attack strategies a more advanced white-box LLM like llama-3 will exhibit.

2. Controlling suffix length in comparison: In contrast to algorithms that optimize fixed-length tokens, AutoDAN continuously generates and iterates the next token from left to right. This paper needs to highlight the performance comparison under different token limitations and the performance of long text.

In this paper, we chose a fixed suffix length of 20 for GCG, as we observed no significant differences in both the attack success rate and perplexity when the length ranged between 20 and 50, which aligns with the typical length range for our method (Figure 14). However, exploring the behavior of extremely long suffixes in future work would be interesting, especially considering recent advances in long-context jailbreak. Thank you for raising this point!

1. Meaning of interpretability: The work claims "interpretability" ...

By "interpretable" we mean the generated prompts are not only fluent but also showcase some explainable jailbreak strategies used in manual jailbreak attacks. The term "interpretable" is also used to convey the same meaning in some other jailbreak works, such as PAIR[1].

Nevertheless, we agree that "interpretable" is an overloaded term. It is more commonly used in domains like mechanistic understanding of LLMs. To avoid confusion, we will divide this term into "fluent" and "strategic". Thank you for pointing this out!

2. Discussion of the other AutoDAN: The paper misses important discussion ...

Due to space limits, we deferred the discussion of this work and many other concurrent works to Appendix A. We will mention this discussion more explicitly in the main text, and apologize for this layout. Please refer to the second to last paragraph on page 16: ". Lapid et al. (2023); Yu et al. (2023); Liu et al. (2023a) use the genetic algorithm to design black-box attacks that can generate readable prompts...".

As you mentioned, the other AutoDAN paper is an important work that shows how maintaining multiple sequences and doing block updates can significantly improve generation quality. We believe our work complements that work, and the two together can help people understand what matters for efficiently generating fluent jailbreak prompts.

3. Complexity comparison: The method proposes double-loop optimization ...

Again, due to space limits, we deferred the analysis of computational complexity to Appendix D.3 and Figure 13. We will mention this more explicitly in the main text. Thank you for raising this point!

In short, AutoDAN takes a similar amount of time as GCG to achieve the highest attack success rate (around 200 steps). Moreover, the tree attention in Medusa [2] has the potential to greatly accelerate our algorithm (since our batch-forward-passed sequences only differ in the last token, we can concatenate these different tokens into a single sequence for forward pass and decode using an attention mask). We plan to implement this technique in future work.

[1] Chao, Patrick, et al. "Jailbreaking black box large language models in twenty queries." arXiv 2310.08419.

[2] Cai, Tianle, et al. "Medusa: Simple llm inference acceleration framework with multiple decoding heads." arXiv 2401.10774.