Tree of Attacks: Jailbreaking Black-Box LLMs Automatically

Thank you for your valuable feedback. We are happy that you appreciate our paper’s contribution and we take your concerns seriously. We respond to them below and will include our responses in the form of expanded discussions in the final version.

"Recent work…has shown…LLM autograders for jailbreak success…to be…problematic." We agree that LLM autograders for jailbreak success can be inaccurate and this is an important problem for the field of jailbreaking. However, at the same time, we believe this is orthogonal to the contribution of this paper as the proposed method (TAP) is compatible with any existing or future automated methods for evaluating jailbreak success.

"I don't think that what is being evaluated [in Table 8] is probably an ideal proxy for "safety"." Table 8 reports the success rate according to manual grading done by the authors. When grading, we anonymized the name of the method used to generate the jailbreak to avoid any inadvertent skew favoring our method. After this anonymization, we followed the guidelines in Wei et al. (NeurIPS, 2023) [52] to evaluate a successful jailbreak. We acknowledge that there can be many notions of safety. We would be happy to repeat this evaluation with other specific notions of safety and include a discussion on the current evaluation criteria and its limitations.

"ability to…find…novel jailbreaks seems…limited…I'd be appreciative of discussing this limitation…" Thanks, we will include a discussion on this in a limitations section in the final version.

Thank you for your feedback. We take it seriously and respond to your concerns below. We hope that based on our responses you will strengthen your support for the paper.

“format of this paper needs to be refined.” Thanks, we will refine the format.

“The success of TAP heavily depends on the choice of evaluator LLM…” Yes, the success of our method (TAP) does depend on the choice of the evaluator. However, this is not specific to our work: both Yu et al. [59] and Chao et al. [12] use LLMs to evaluate whether jailbreaking attempts were successful. Moreover, Yu et al. [59] need to fine-tune an existing model to achieve high classification accuracy and the performance of Chao et al. [12]’s method (PAIR) also depends on the choice of the evaluator LLM.

“...lower attack success rate on well aligned open-sourced model, Llama-2-7b-chat.” Yes, our method has a lower success rate on the Llama-2-7B-chat model. But this is expected as prior methods, including PAIR, also have a low success rate with Llama-2-7B-chat. One reason for this is that Llama-2-7B-chat can be overly protective: for instance, it has been observed (see Figure 5 here https://arxiv.org/pdf/2310.08419v2) that Llama-2-7B-chat refuses to respond to benign requests if they mention certain words or phrases. Further, the fact that Llama-2-7B-chat is resilient to several jailbreaking methods can be seen as a validation that its safety training is effective.

Thank you for your thorough review. We respond to your questions below and hope that you will strengthen your support for our submission.

“a typo "branching"” Thanks, we will correct this.

“attacker’s system prompt is long and carefully designed…” Yes, the attacker’s system prompt in Table 7 is long and carefully designed. It is the same prompt as used by PAIR (an existing method). We use it in our simulations to ensure that both our method and PAIR use the same system prompt. This ensures that any gains in performance compared to PAIR are due to our method and not due to the engineering of the system prompt.

“...would help if the paper includes replacing the prompt with other evaluator/attacker prompts and show some results to state the success rate comes mostly from pruning instead of prompt engineering.” That’s a great suggestion. We implemented a variant of our method that uses a simpler system prompt: this system prompt simplifies the prompt in Table 7 by removing the detailed examples. We evaluated this variant with GPT-4-Turbo as the target and, matching our other simulations, GPT-4 as the evaluator and Vicuna-13B as the attacker. We observe that this variant jailbreaks a significantly higher number of prompts than PAIR (82% vs 44%) with fewer queries (35.0 vs 47.1) even though PAIR uses a more sophisticated attacker prompt with detailed examples. We will include this result and the full text of the simpler system prompt in the final version.

“In section 6 discussion and appendix A.2…Does it suggest that the off-topic prompts get higher scores?” Yes, these results suggest that off-topic prompts can sometimes get higher scores than on-topic prompts.

“is the improvement…generated by evaluator? What's the prompts for generating these?...” Sorry for any confusion. The improvements are generated by the attacker. The attacker’s system prompt (in Table 7) is used for generating improvements. This system prompt requests the attacker to both generate an improvement and, based on the improvement, modify its previous attack.

“...How do generation constraints on the revision prompts affect jailbreak effectiveness?" That is a nice suggestion, thanks. Following the suggestion, we strengthened the generation constraints from 500 tokens per revised prompt to 250 tokens per revised prompt. We evaluated this variant–which has a stricter generation constraint–with GPT-4-Turbo as the target, GPT-4 as the evaluator, and Vicuna-13B as the attacker. It achieves a similar fraction of jailbreaks (82%) as the original implementation of our method (84%) with a similar number of average queries (24.8 compared to 22.5).

Thank you for appreciating our thorough evaluation and clear writing. We take your feedback seriously and, following your suggestion, will shorten Section 1.2 to reduce the overlap with Section 3. We answer your specific questions below and hope you continue to support the paper.

“how calibrated is the judge model compared to a human baseline?” Our judge model can indeed be miscalibrated. Unfortunately, accurately measuring the calibration seems hard as we have a small number of examples (only 50). In the spirit of comparing the judge model’s performance to a human baseline, we evaluate its false positive and false negative rates in labeling examples as jailbreaks (i.e., assigning them a score of 10): we find that its false positive and false negative rate are not too large–13% and 0% respectively (Section A.2). We will include a discussion on the potential of miscalibration and its consequences in the final version.

“how the pruning step would perform when selecting random prompts instead of those with the highest assigned score” Thanks for the suggestion. Following it, we evaluated the variant of our method where Phase 2 of pruning randomly selects $w=10$ prompts (instead of selecting the $w$ prompts with the highest score). We selected GPT-4-Turbo as the target and, matching the simulations in the paper, selected GPT4 as the evaluator and Vicuna-13B as the attacker. Surprisingly, this method only jailbreaks 62% of the prompts. The number of queries sent has a mean of 34.8 and a median of 24.5. This is significantly lower than the success rate of 84% of the standard variant of TAP (that retains the prompts $w$ with the highest scores) demonstrating that pruning based on the evaluator’s scores improves performance.

“It seems to me that the score domain is excessively granular even for a human to assign scores, so using a coarser score scale might be more effective and meaningful.” Thank you for the great suggestion. Following your suggestion, we evaluated a variant of TAP where the evaluator uses a coarser score scale, namely, binary scores. We fix GPT-4-Turbo as the target, GPT4 as the evaluator, and Vicuna-13B as the attacker. We find that this improves the success rate from 84% to 86% while sending a similar number of queries (23.4 with binary score scale vs 22.5 with finer score scale). We will include these results in the final version of the paper.

“What average is used for the number of queries in table 2? Is it the arithmetic mean? Are there many outliers? What is the median?” Yes, the average in Table 2 is the arithmetic mean. The medians of the queries are close to the arithmetic means, as shown below: