Uncovering Model Vulnerabilities With Multi-Turn Red Teaming

Hi, thank you for the kind review and pointing out some areas for clarity within the paper. We are glad to hear that you find the quality of the dataset useful! We hope we have clarified your concerns below:

Weaknesses

1. It would have been useful to see results which have human single turn jailbreak attempts in Figure 3. At the moment, the "Human" attacks have two variables changed compared to the others: the attack source (e.g. handcrafted), and additionally have multi-turn capabilities. Hence it makes it challenging to disambiguate if the difference in performance is due to the multi-turn aspect, or if humans given enough time remain better than automated based methods at creating jailbreaks.

• We acknowledge a limitation that hinders this analysis. The instructions we gave to the red teamers did not limit the number of turns. Since we optimized under the multi-turn threat model, our human-single turn jailbreaks were too skewed to disambiguate the cause. We found 91.6% of human jailbreaks were multi-turn.

2. I am unclear as to why results against Cygent defense could not be carried out in the same setup as the original paper: the Llama model is open source, and the defense has a published paper. It would have enabled stronger reproducibility and clearer interpretation of results.

• CYGNET is not open source (in particular, the system prompt is not public), and while their paper is published we cannot reproduce critical details. We instead report the attack results from the CYGNET authors given we are using the same HarmBench framework for consistency, and we use their API for our human red teaming.

3. Releasing the non-successful jailbreak attempts as well can be beneficial as it is still a useful resource, for example as training/fine-tuning data or to carry out further analysis.

• We considered this and did look through the non-successful jailbreaks. For context, red teamers are generally free to start and restart conversations, frolicking over many attempts in 30 minutes. As you can imagine, we found the unsuccessful jailbreak attempts from this process were particularly unhelpful and noisy, and did not believe they would be a good contribution to the community. We chose to release the highest quality data, which happens to be the successful jailbreaks.

4. Although different styles of harmfulness were investigated: both "regular" harmbench style questions, but also WMDP-Bio for different attack objectives and domain performance from looking into the supplementary material it seems like just the harmbench data was released. Given the dataset is the core contribution of the paper it would have been useful to include the other domain data.

• Legal reasons: Thank you for looking through the supplementary materials! This is a deliberate choice. At the advice of our legal counsel, we cannot release any data from the WMDP-Bio jailbreaks in accordance with ITAR and EAR (see Section 7 - Ethics). We omitted certain jailbreak prompts from the HarmBench set for the same reason.

Questions

1. Are there statistics on how many red-team members there are/distributions on number of samples provided per red-team member?

• We had 13 red teamers in total. For each defense, we included at least 6 red teamers to capture a diversity of experiences. At the same time, to reduce variability in aggregate due to human skillsets (and to be fair to workload), each red teamer attempted approximately the same number of prompts.

Thank you for your clear insights within the scope of our paper! We are happy to hear that you find our contributions valuable to the community, including our open sourced dataset. We addressed your concerns below, and we are happy to continue discussing our work further in this period.

Weaknesses

1. Lack of Strong Automated Attack Baselines: Some black-box attacks, such as CodeAttack [1] and PAP [2], are not included in the experiments, despite utilizing similar “Request Framing” tactics as those in this paper. Including these baselines in future comparisons would offer a clearer perspective on the relative effectiveness of this paper's approach.

• We considered PAP, but it is a weaker attack than the PAIR and GCG attacks we already implement – Table 6 in the Appendix of HarmBench [3] demonstrates that PAIR and GCG outperform PAP-top5 on all 20 open-source, and PAIR outperforms PAP on all 8 closed-source models tested. We agree it will help completeness, but we do not think it will add value in terms of showcasing the effectiveness of our attack.
• CodeAttack is an old attack from more than 2 years ago and is not implemented within the HarmBench framework, the largest standardized collection of adversarial attacks. We do not believe that it would be strong compared to the more modern attacks we test.

2. Unclear Evaluation Metric for Model Unlearning: This paper proposes manual review to assess attack outcomes in model unlearning experiments, yet does not clearly define what constitutes a successful attack. For example, does success mean the model output includes content from the forget set? A more detailed description of the evaluation metric for model unlearning experiments would improve clarity.

• Thanks for catching this missing detail. Since WMDP-bio test split is a labeled multiple-choice dataset, we simply use the ground truth answer corresponding to each prompt to verify the attack. This is not an exact string match, but rather that the answer from a jailbroken model output semantically contains all the information in the label, as judged by a human reviewer. We will add this detail in our OpenReview submission.

[3] Mazeika, M., Phan, L., Yin, X., Zou, A., Wang, Z., Mu, N., ... & Hendrycks, D. (2024). Harmbench: A standardized evaluation framework for automated red teaming and robust refusal. arXiv preprint arXiv:2402.04249.

Hello, thank you for your review! We are glad that you find our paper to be comprehensive, dataset useful, and that this work reveals important safety vulnerabilities. We’ve addressed some of your concerns, please let us know if there’s anything else we can clarify. We look forward to a discussion with you.

Weaknesses

1. The human red-teaming was conducted only on Llama; further evaluations on other LLMs would more comprehensively illustrate the safety vulnerabilities in multi-turn conversations. Additionally, the human red-teaming data collected on Llama could potentially be used to examine safety issues in other LLMs under multi-turn scenarios.

• Our goal was to show if multi-turn attacks lead to a high ASR against the strongest defenses, which in prior work are generally implemented on Llama3-8b. We do not need to experiment on models we know are already weak to single-turn attacks (Appendix Table 6, HarmBench: https://arxiv.org/abs/2402.04249). We do not believe that evaluating MHJ on other LLMs would improve the contribution towards our goal, but we recognize that it would be scientifically interesting to try to find more human attack patterns on different models if we had additional resources.

2. A more detailed analysis of the effectiveness of different tactics could provide deeper insights into multi-turn jailbreaks.

• We acknowledge this as a limitation. The analysis is brief for two reasons: (1) We do not exhaustively try all possible tactics (infeasible), instead we have red teamers freely try tactics until one works and stop when a jailbreak is successful. (2) The tactics are not rigid, but rather self-reported clusters by the red teamers. Hence, the diverse nature of the attack, even within a tactic, makes it very difficult to generalize patterns. Based on our interactions with the red teamers, we believe the fundamental tactic is adaptability of human red teamers, rather than the specific tactic they first used. Instead of an unclear summarization, we decided to open-source the full with the hope to inspire others in the community to find patterns and build stronger attacks and defenses._

Questions None from reviewer.

Hi, thank you for your review! We wanted to clarify our choices. In short, our choice of attacks were aimed at being consistent with prior work, while choosing some of the strongest defenses we could find. We look forward to a fruitful discussion, please let us know if you have any additional questions.

Weaknesses

1. Only the Llama3-8b-Instruct model was used for evaluation. Other models, especially the stronger ones should have been included.

• Consistency with prior work: The defenses we evaluated were all implemented on the 8b version of Llama. We made this choice to be consistent with prior baselines. In particular, CYGNET, which is closed source, only existed in the Llama-3-8b form at the time of our experiments.
• Stronger models: We focus on defenses (models with enhanced guardrails), which when implemented on Llama-3-8b is already incredibly robust against single-turn attacks. Stronger capability should not be confused with robustness. Our task is more difficult, for example, CYGNET has a 0% ASR on all the automated attacks tested. We also detail in the question section below that larger models such as ChatGPT are not necessarily more robust, as prior work in the field discovered.

2. The chosen baselines and the multi-turn-human-jailbreak approach are different from each other in many ways, such as timing, budget, etc. Seems like the MHJ attack is a soft-constrained version of attacks.

• We acknowledge the difference: We do not claim that MHJ is analogous in time or computational budget. In fact, MHJ may be orders of magnitude more expensive. Our goal is to demonstrate a jailbreak that worked, where prior automated attacks would not scale even with more budget.
• Automated attacks don’t scale: At least, it is unclear how to scale automated attacks. For example, we empirically found if GCG does not successfully jailbreak in the first 1000 steps, 10x more optimization steps will not give a jailbreak (imagine a loss curve that has converged and cannot go further down). Hence, we did not believe it was a meaningful use of resources to do budget-inflated experiments with automated attacks.
• We are unsure to understand the meaning of “soft-constrained” attacks. Can you clarify this? We give our human red teamers limited access via a chat interface, but unlimited freedom in terms of attack strategy, rather than the highly constrained search spaces of automated attacks.

3. Authors admit that “the skill and experience of individual red teamers may vary”. In that case, how can researchers compare their defense against human-based attacks in the common ground? What would be the baseline of a red-teamer’s skill and experience? This is one of the reasons for using automated attacks for evaluation to this date.

• Fundamental limitation of human studies: Human variance is a limitation in any study, we cannot guarantee people are uniform. The text “the skill and experience of individual red teamers may vary” was exactly meant to remind this to readers and highlight that this study might suffer from these drawbacks by construction. In this context, human variance might reduce exact reproducibility of the experiments but it won’t invalidate the soundness of our results. We stress that in jailbreaking studies, one configuration (in this case the slice of the population) breaking the model is typically enough to consider the attack valid. Especially if the configuration, despite these limitations, achieves a 70% ASR on CYGNET, a model where prior automated attacks achieve 0%.
• Reducing human variance: Our red teamers are all experienced employees with standardized training, who have red teamed many commercial frontier language models. Each defense is assigned 6 distinct red teamers in the pipeline, and each human is assigned to attempt jailbreaking approximately the same number of prompts to reduce the effect of human variance. We acknowledge that the proprietary nature of their training creates barriers to reproducing our work, hence we release the dataset of jailbreaks publicly to inspire more work in this area.