AttnGCG: Enhancing Jailbreaking Attacks on LLMs with Attention Manipulation

• Limited Novelty: The primary contribution is the addition of attention scores to the existing GCG algorithm. This is an incremental improvement rather than a fundamentally new approach, since there are already paper that have suggested incorporating attentions cores to the loss function including https://arxiv.org/pdf/2001.06325, https://aclanthology.org/2023.findings-emnlp.716.pdf and more. The paper does not sufficiently demonstrate how this modification offers a significant advancement over existing methods.

• Marginal Improvements: The empirical results show only slight enhancements in attack effectiveness compared to the original GCG algorithm. The performance gains may not be substantial enough to warrant publication, especially considering the added complexity.

• Unrealistic Experimental Settings: The experiments are conducted with a temperature setting of zero, resulting in deterministic outputs from the LLM. In practical applications, models often operate with higher temperatures to allow for more diverse and creative responses. Using a temperature of zero may limit the generalizability of the results to real-world scenarios.

• The paper focuses on the development and success of the adversarial attack technique without sufficiently exploring how such attacks can be mitigated or defended against. This leaves a gap in the practical applicability of the research, as understanding potential defenses is crucial to improving model robustness in real-world scenarios.
• As discussed in the limitation part, the AttenGCG failed to jailbreak the latest LLM like GPT-4o. The low transferability of GCG and AttenGCG shows the low risk of the reveal flaw.
• The AttnGCG still relies on exclusive optimization on white-box LLM. Excessive resource requirements could also act as a defense method. It would be more attractive to manipulate the attention matrix directly to jailbreak the LLM.

1. The improvements of AttnGCG over GCG are relatively limited: The experimental results indicate that the performance gains of AttnGCG over GCG are under 10% in most cases.

2. Limitations of baseline comparisons: The experiments only compare AttnGCG with GCG. To strengthen the paper's credibility, it would be beneficial for the authors to include comparisons with other existing jailbreak attack methods, such as AutoDAN [1], COLD-Attack [2], AdvPrompter [3], and AmpleGCG [4]. This would help position AttnGCG's relative advantages and uniqueness within the current research landscape.

3. Lack of evaluation under safety system prompts: The experiments focus solely on the attack efficacy without considering scenarios where safety system prompts are in use. To validate the real-world applicability of AttnGCG, testing its performance with active safety system prompts, especially in comparison with methods from [5,6,7], would help determine if it maintains or improves upon the advantages over GCG under enhanced security measures.

4. Applicability to the latest models: Although the paper mentions that AttnGCG is less effective on the latest models (e.g., Gemini-1.5-Pro-latest and GPT-4o), there is no in-depth analysis or discussion provided. More research and data are needed to explore potential improvements or strategies to address these limitations, ensuring better applicability and robustness in future versions.

[1] Liu X, Xu N, Chen M, et al. Autodan: Generating stealthy jailbreak prompts on aligned large language models[J]. arXiv preprint arXiv:2310.04451, 2023.

[2] Guo X, Yu F, Zhang H, et al. Cold-attack: Jailbreaking llms with stealthiness and controllability[J]. arXiv preprint arXiv:2402.08679, 2024.

[3] Paulus A, Zharmagambetov A, Guo C, et al. Advprompter: Fast adaptive adversarial prompting for llms[J]. arXiv preprint arXiv:2404.16873, 2024.

[4] Liao Z, Sun H. Amplegcg: Learning a universal and transferable generative model of adversarial suffixes for jailbreaking both open and closed llms[J]. arXiv preprint arXiv:2404.07921, 2024.

[5] Xie Y, Yi J, Shao J, et al. Defending chatgpt against jailbreak attack via self-reminders[J]. Nature Machine Intelligence, 2023, 5(12): 1486-1496.

[6] Zhang Z, Yang J, Ke P, et al. Defending large language models against jailbreaking attacks through goal prioritization[J]. arXiv preprint arXiv:2311.09096, 2023.

[7] Zhou Y, Han Y, Zhuang H, et al. Defending jailbreak prompts via in-context adversarial game[J]. arXiv preprint arXiv:2402.13148, 2024.

1. The choice to target optimization-based jailbreak attacks raises questions, as this type often does not achieve higher success rates compared to alternatives (e.g., LLM-aided jailbreaking) and is more susceptible to defenses (e.g., simple perplexity analysis can defend against this type of attacks).
2. The introduction references multiple figures, some of which appear on subsequent pages, disrupting the flow of reading and comprehension.
3. The evaluation primarily compares against the GCG attack, which is relatively outdated. To substantiate the effectiveness of their approach, the authors should include comparisons with more recent state-of-the-art methods.
4. The paper lacks a thorough analysis of existing literature that also utilizes the attention mechanism in transformer models for attack purposes. This oversight diminishes the contextual understanding of their contributions.
5. The decision to use only 100 harmful questions from AdvBench, rather than the complete dataset of 520 prompts, raises questions about the representativeness and robustness of their findings.
6. While the paper notes that outputs generated by GCG do not necessarily constitute valid jailbreak attacks—even with a high probability of harmful tokens (lines 50-53)—it fails to propose a solution to this issue. Furthermore, reliance on GPT-4 for output evaluation is not a novel contribution, as it is commonly used in other studies. Additionally, Table 1 indicates that jailbreak suffixes generated by AttnGCG also exhibit significant false positives in terms of jailbreak classification.