Automated Red Teaming with GOAT: the Generative Offensive Agent Tester

While this paper is useful, I think it misses an important opportunity to help develop community norms or guide research on multi-turn jailbreaks. This miss is amplified by the fact that this paper appears one of the first automated multi-turn jailbreaking methods. Concretely, the paper:

• Lacks conceptual insights. I gained almost no additional information from reading the paper compared to reading only the abstract + Figure 1. Specifically, I recommend
  • Explore the design space of multi-turn jailbreaking agents by ablating different components of the agent. While the authors do not need to incorporate all of following suggestions, I think exploring a few of these design decisions could make the paper much more informative for future work. I've italicized the top three imo:
    • How much does the reasoning part of the prompt help? Can you ablate this part of the prompt?
    • Does using a stronger LLM improve ASR?
    • What is the impact of training data on the attacker LLM?
    • Is the attacker LLM still able to succeed with fewer jailbreaks?
    • How does the ASR scale with number of jailbreakers?
    • Are there some jailbreaks that are more important s.t. removing them dramatically reduces performance?
    • Does passing evaluation of success to an external judge help (at the expense of more API calls)?
    • Is it possible to have the attacker LLM be a heavily safety-trained model?
    • Does increasing the diversity of initial strategies tried by the LLM improve the ASR?
  • Explore the realism of the data generated by GOAT. Understanding the following questions would help understand the qualitative nature of the method more precisely:
    • Given the human-written distribution of mutli-turn jailbreaks in [1], how similar are the jailbreaks generated by GOAT?
    • Could training to refuse the jailbreaks from GOAT serve as a defense method against human jailbreaks?
    • Is it possible to make GOAT attacks match the distribution of human attacks?
• Has weak empirical rigor. I think some of the experiments / writing could be clarified, and I hope the authors will address this. In particular,
  • What exactly is the attacker LLM? How was it trained? The paragraph from L296-304 is extremely vague.
  • Does GOAT work with other attacker LLMs? Can I just feed the attacker prompt directly into GPT-4o or Claude-3.5-Sonnet and have it act as my attacker LLM?
  • GOAT appears to be plateauing at a faster rate than Crescendo. Will the two ASRs @ 10 match with enough turns? What does the graph looks like with 10 turns of dialog?
• Lacks originality. This is mostly tied to the first weakness, so I think this is more of a minor issue. Given that there aren't many scientific insights in the paper, I feel like the paper itself isn't very novel. In particular, it feels like a multi-turn agent with CoT prompting applied to jailbreaks. Although I think prompting is very valuable, there doesn't seem to be any particularly new ideas in this paper. It would be cool if the authors could consider implementing an additional 'feedback stage' to see if the agent could generate its own jailbreaks given examples of previously failed trajectories / strategies.

I'm willing to adjust my score to a 6 if some of the weaknesses are addressed, especially the lack of empirical rigor.

[1] Li, Nathaniel, et al. "Llm defenses are not robust to multi-turn human jailbreaks yet." arXiv preprint arXiv:2408.15221 (2024).

• The proposed algorithm is limited to "conversational" jailbreak prompts. While it offers a significant degree of automation and value to current model red-teaming, this attack approach might be easier defended against with more advances in safety training. Also, it is unclear if the proposed algorithm can be used to discover novel attacks. For example, would it work to ask the attack model to evaluate previous conversations and come up with a novel attack?

• The authors state that the paper's goal is not to compare models comprehensively; they only want to focus on a prominent model family for open-source and closed models. However, I think the results of this work could be significantly strengthened by adding more capable models in the chosen families (GPT-4o, or larger than 8B Llamas) and, ideally, adding a third model family like Claude or Gemini.

• The described methodology/experimental setup is vague on what LM was used for the attacker model. It is only described as a "generic helpful-only language model" and that it was "exposed" to numerous samples of being overcompliant instead of replying safely. The vagueness used to describe the model limits reproducibility. The contribution of this work to the ICLR community would be improved by either clearly stating how this model was created (base model, number of parameters, training data, fine-tuning data, ...) or at least stating some information that can be used to estimate the model capability (number of parameters and benchmark performance) necessary for the proposed algorithm to work and acknowledging that it is a proprietary model.

• The line widths, axis labels, axis ticks, plot legend, and plot titles are too small and unreadable in Figure 3. In addition, the font in Figure 1 is also small and hard to read.

• Evaluation only considers two model families (llama and gpt) and one baseline. Claude should be tested, as it is the most adversarially robust model. While I understand the lack of multi-turn baselines, it is possible to convert single-turn baselines such as PAIR to multi-turn by applying the attack multiple times.
• Limited analysis of why certain attack combinations work better than others - more insight into patterns of successful attack sequences would be valuable
• No evaluation or discussion of defenses [1,2]. To my knowledge all defenses were proposed for single-turn settings, would they still be effective in this setting?

[1] Robey, A., Wong, E., Hassani, H., & Pappas, G.J. (2023). SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks. ArXiv, abs/2310.03684. [2] Zhou, A., Li, B., & Wang, H. (2024). Robust Prompt Optimization for Defending Language Models Against Jailbreaking Attacks. ArXiv, abs/2401.17263.

• The method does not introduce particularly novel insights; the concept of multi-turn adversarial interaction has been explored in previous works.
• The paper primarily compares GOAT to only one existing method, Crescendo, without assessing its performance against other red-teaming or adversarial attack approaches.
• The paper mentions limitations of the attacker model’s capabilities, such as context window length and prompt-following strength, but it lacks empirical analysis of how these factors impact GOAT’s performance.

1. The paper didn't mention which specific large language model (LLM) was used as the attacker in the GOAT framework.

2. The maximum number of conversation turns was capped at five due to context window limitations. This constraint might impact the effectiveness of certain attack strategies and limits the scope of adversarial escalation in longer dialogues.