AmpleGCG: Learning a Universal and Transferable Generative Model of Adversarial Suffixes for Jailbreaking Both Open and Closed LLMs

Thanks for recognizing the fast speed, high ASR, and high transferability of AmpleGCG and its potential to inspire future work.

[W1 Loss is not the best metric, but does not provide a solution] Although we don’t directly propose a superior reference, we introduce the simple Augmented-GCG method to retain all candidates, which avoids the exposure bias issue and uncovers many previously overlooked successful suffixes. The discovery of exposure bias would benefit future works on better metrics.

[W1 Iteration with the lowest loss] While low loss doesn’t guarantee success, it increases the likelihood of jailbreaking (Fig1; lower loss values, more number of red (successful) points). Thus, we use the lowest loss for optimization, encouraging more low-loss candidates. We admit that we can identify successful suffixes at each step and use only those for further optimization. However, this approach has two potential drawbacks:

1. It requires interleaving optimization and evaluation, which is more time-consuming and inconvenient compared to using the lowest loss throughout the optimization and evaluating all candidates at once.
2. High-loss but successful suffixes as anchor points might not effectively explore low-loss regions, which are more likely to succeed in jailbreaking and enhancing dataset diversity for AmpleGCG.

[W2 using string-based evaluator] We actually used additional model-based evaluators (95% human agreement) to enhance the evaluation validity (Sec.3). Besides, we incorporated GPT-4 to assess harmfulness, along with human evaluations to verify results for transferring to GPT-series models. (Sec.4)

[W2 low ASR for GPT-4] We admit the relatively low ASR on GPT4 but AmpleGCG still outperforms baselines, demonstrating its effectiveness. We plan to use stronger filters during data collection to reduce false positives in training data, which we believe will improve ASR.

[W3 Low “efficiency” of tricks AmpleGCG applies] This seems to be a typo. We assume the reviewer meant “effectiveness” and please kindly follow up if not. Though our tricks reduce ASR from 93% to 80% with 100 samples in Table 11, they still outperform AutoDAN (with natural adv prompts).

If sampling 400 times, our AmpleGCG Input Direct (AID) method can achieve 98% ASR with nearly no degeneration, which we’ll add to the updated draft.

Hopefully, we’ve addressed your concerns. Please kindly let us know if you have more questions or suggestions!

We are grateful that the reviewer finds our work “timely and impactful,” recognizes the “significant” loss issue in GCG optimization that we discovered, and the “simple yet effective” approach we proposed.

[W1:Making claims about generalizability more convincing] We agree that including more open and closed models would make the results more convincing. However, due to limited computational resources and API budget, we mainly followed the GCG paper to design our experiments. To alleviate your concerns, we’d like to gently note:

1. Despite similar pretraining and architecture, Llama2 (we used the -chat version) and Vicuna behave differently when handling harmful queries. Table 9 shows that AmpleGCG, trained on Llama2, transfers to Vicuna but not vice versa, due to their distinct fine-tuning stages. However, both could transfer to Mistral-Instruct, an aligned model with distinct architecture and pretraining process.

2. Regarding the observation about the loss (Sec 3.1), we also conducted experiments on Mistral-Instruct (same setting as in App.M). For 5 examples with relatively low loss but unable to jailbreak, the first target token’s rank averaged 3.7, while subsequent tokens ranked 0 across examples.

These results suggest that the observed loss issue and transferability results are not limited to Llama2 and Vicuna or simply due to shared pretraining or architecture.

[W2 Clarity] Thank you for pointing out the clarity issues and we will address them accordingly.

[W3 Perplexity Defense] To clarify, we didn’t claim our techniques/tricks for bypassing perplexity (ppl) defense as a significant contribution. Since ppl defense is the most effective method for gibberish prompts (more details in W2 to reviewer yfe5), we show that it is possible to bypass them with our proposed tricks, and hence gibberish adversarial suffixes are still real concerns. Therefore, our AmpleGCG is highly needed to red-team an LLM efficiently.

[Q1 Diversity data from running multiple times] We appreciate the suggestion to generate more diverse suffixes in multiple short runs. We gently note that running GCG for fewer steps would possibly miss those successful suffixes that are produced by later steps, which might be a concern. That said, we’d like to try your suggestion in our future work.

[Q2 Human annotation] Two annotators performed the manual inspection and we only consider the attack successful if both treat the response as harmful.

We appreciate that you recognize our work “introduces a novel generative model for adversarial suffixes”, achieves “impressive ASR” and “strong transferability” across different models, and provides “thorough experimental results”. Thanks for highlighting “generating a large number of adversarial suffixes quickly” as a “significant improvement over previous methods”.

[W1 and Q1 Ethical implications and measures to mitigate potential misuse] We agree that ethical considerations and the prevention of potential misuse are important. To address this concern, we have included an Ethics Statement (page 10), in accordance with the COLM code of ethics. Additionally, our method would be just one of the resources available online such as GCG[3] for attack research, and won’t introduce new ethical concerns. We will provide gated access only to identified organizations/individuals who agree to licenses for ethical research purposes only, to avoid aiding malicious actors. We want to highlight that the goal of this research/tool is to help the community better understand the risks and build more effective defenses. Thus, we believe the overall benefits outweigh the potential downsides.

[W2 Perplexity-based defense only] Perplexity (ppl) defense is the most effective defense method against gibberish texts, as shown in [1]. Moreover, other methods, such as paraphrasing and retokenization, offer only partial defense towards gibberish suffixes and would compromise the benign performance. Given that, we spent efforts developing methods to bypass the ppl defense and leave other defense approaches to future study.

[Q2 Types of queries] We use all 100 examples from MaliciousInstruct and randomly select 100 examples from AdvBench that were not involved in the training process of AmpleGCG. Topic-wise, MaliciousInstruct (Sec.3 in [2]) covers different types of topics compared to categories in AdvBench (Sec.3 in [3]). In terms of format, queries in AdvBench are declarative, while examples in MaliciousInstruct all end with a question mark. Two types of differences together support MaliciousIntruct as a testbed for OOD generalization of AmpleGCG.

[1] Jain, Neel, et al. "Baseline defenses for adversarial attacks against aligned language models." (2023).

[2] Huang, Yangsibo, et al. "Catastrophic jailbreak of open-source llms via exploiting generation." (2023).

[3] Zou, Andy, et al. "Universal and transferable adversarial attacks on aligned language models." (2023).