Functional Homotopy: Smoothing Discrete Optimization via Continuous Parameters for LLM Jailbreak Attacks

We appreciate your professional review and address your concerns here:

Algorithmic Intuition, Effectiveness and Analysis

We discuss the algorithmic intuition underlying our approach in the "Algorithmic Intuition" comment. Our study is primarily an empirical methodology, drawing inspiration from homotopy optimization techniques.

Fundamentally, most token-wise optimization algorithms utilize greedy search heuristics, which form the foundation of state-of-the-art methods in this domain [1,2,5,6,9,10]. However, greedy search is susceptible to local optima entrapment in non-convex optimization landscapes.

Our FH method effectively mitigates this limitation. To substantiate our claims, we have provided additional empirical analyses showing the effectiveness of our approach in the optimization process. These findings are detailed in the "Algorithmic Intuition" comment and illustrated in Figures 7 and 8 (Appendix F) of the revised manuscript.

The theoretical analysis of optimality guarantees for our FH method presents significant challenges and extends beyond the scope of this paper, particularly considering that the underlying homotopy is constructed via model training, which is inherently difficult to analyze. Even for simpler architectures like feedforward neural networks, the underlying optimization problems are typically NP-hard, and optimization algorithms rarely offer optimality guarantees [7, 8].

Baselines and Datasets

Our evaluation employs widely recognized baselines from literature ([1, 2]). We focus on optimization-based attacks, excluding black-box methods, as our technique is designed to augment existing optimization approaches. We welcome suggestions for additional relevant baselines.

The datasets used in our benchmarks contain approximately 500 samples (AdvBench [1] and HarmBench [3]). Given that individual runtimes for each method can exceed one hour per instance on our GPUs, we selected a sample size of 200 instances to balance performance evaluation with practical time and resource constraints. This sample size is consistent with or exceeds that of similar jailbreak studies, which used 50 and 183 examples in their evaluations [6,10].

Hyperparameters and Robustness

We discuss the specific overhead requirements for our method, including storage and fine-tuning costs, in the "Hyperparameters" comment. All other parameters mentioned, have been adopted from existing literature for a fair comparison:

1. The loss threshold for our method is determined by the LLM judge's decision on jailbreak success, as described in line 404.
2. The number of random search steps is derived from the baseline methods GCG [1] and AutoDAN [2].
3. The search radius (20 tokens) is adopted from [1] which is also utilized in several other comparative studies (such as [5],[6]).

We welcome any additional questions you may have and are happy to address them. If you believe that our responses and the revisions to the manuscript have adequately addressed your concerns and enhanced its quality, we kindly request that you consider increasing the score for our paper.

References

[1] Zou et al. “Universal and Transferable Adversarial Attacks on Aligned Language Models” arXiv preprint arXiv:2307.15043 (2023)

[2] Xiaogeng Liu, Nan Xu, Muhao Chen, and Chaowei Xiao. “AutoDAN: Generating stealthy jailbreak prompts on aligned large language models. In The Twelfth International Conference on Learning Representations”, 2024a. URL https://openreview.net/forum?id=7Jwpw4qKkb.

[3] Mantas Mazeika, Long Phan, Xuwang Yin, Andy Zou, Zifan Wang, Norman Mu, Elham Sakhaee, Nathaniel Li, Steven Basart, Bo Li, et al. “Harmbench: A standardized evaluation framework for automated red teaming and robust refusal.” arXiv preprint arXiv:2402.04249, 2024.

[5] Hayase, Jonathan, et al. "Query-based adversarial prompt generation." arXiv preprint arXiv:2402.12329 (2024).

[6] Andriushchenko, Maksym, Francesco Croce, and Nicolas Flammarion. "Jailbreaking leading safety-aligned llms with simple adaptive attacks." arXiv preprint arXiv:2404.02151 (2024)

[7] Vincent Froese, Christoph Hertrich. “Training Neural Networks is NP-Hard in Fixed Dimension”. In The Thirty-seventh Conference on Neural Information Processing Systems. (2023)

[8] G. Katz, C. Barrett, D. Dill, K. Julian and M. Kochenderfer. “Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks.” Proc. 29th Int. Conf. on Computer Aided Verification (CAV). Heidelberg, Germany, July 2017.

[9] Sadasivan, Vinu Sankar, et al. "Fast Adversarial Attacks on Language Models In One GPU Minute." arXiv preprint arXiv:2402.15570 (2024).

[10] Mehrotra, Anay, et al. "Tree of attacks: Jailbreaking black-box llms automatically." arXiv preprint arXiv:2312.02119 (2023).

I appreciate the authors' rebuttal and the inclusion of additional experiments and increased my score. However, I believe some of my concerns remain unresolved. For instance, while the authors argue that greedy search is prone to local optima entrapment, the proposed FH approach lacks guarantees or comprehensive analysis demonstrating its ability to escape local minima effectively. Additionally, while the baseline is widely recognized, is it truly representative of the state-of-the-art in the literature?

We sincerely appreciate your thoughtful review and the decision to raise the score. We are grateful for your additional insights and would like to address them respectfully:

Guarantees or comprehensive analysis

The present study does not provide theoretical guarantees for the proposed algorithms, a limitation shared by existing jailbreak attack methodologies to the authors' knowledge. However, we provided a formal proof of the NP-hardness of the jailbreak attack optimization problem. This result underscores the inherent difficulty in establishing theoretical guarantees and time complexity bounds for such algorithms. Consequently, the research emphasis has been placed on empirical validation of the proposed methods' efficacy.

Hardness result

We have formally demonstrated the NP-hardness of the jailbreak attack optimization problem, as elaborated in the "NP-Hardness of Jailbreak Attacks" comment. This complexity result suggests that efficient algorithms for LLM jailbreak optimization likely require the exploitation of problem-specific structures. The proposed FH method, which leverages model fine-tuning, can be interpreted as utilizing the "alignment" property of the models. A rigorous analysis of the FH approach would necessitate an exploration of neural network structures, LLM architectures, and typical language data characteristics, pushing the boundaries of current deep learning and LLM theory. While providing theoretical analysis and guarantees presents an intriguing avenue for future research, it exceeds the scope of the current study and the relevant literature.

Preliminary empirical analysis

We have included a preliminary empirical analysis in the "Algorithmic Intuition" comment, which supports our method's assumptions and effectiveness. Our findings regarding the utility of intermediate model checkpoints in facilitating attacks on the base model have significant implications for the deep learning community and may inspire future work.

State-of-the-art baselines

For state-of-the-art baselines, we refer to the recent ICML benchmark paper [1], where Figure 5 indicates AutoDAN and GCG as the most effective attacks.

We sincerely appreciate your valuable feedback and hope that clarifications address your concerns. We remain open to any further suggestions that could enhance our work. If you find that our responses and new results have sufficiently addressed your concerns and improved its quality, we would be grateful if you would consider increasing the score for our paper. Thank you for your consideration.

References

[1] Mantas Mazeika, Long Phan, Xuwang Yin, Andy Zou, Zifan Wang, Norman Mu, Elham Sakhaee, Nathaniel Li, Steven Basart, Bo Li, et al. “Harmbench: A standardized evaluation framework for automated red teaming and robust refusal.” ICML 2024.

We appreciate your professional review and address your concerns here:

Number of Unalignment Steps

We 'unalign' the model parameters until jailbreaking occurs without input optimization, which is achieved after 500 epochs of fine-tuning for all evaluated models. However, this extensive misalignment is not essential. The FH method remains effective with fewer epochs, initiating from a more aligned model state.

Additional experiments with stronger checkpoints (i.e., models fine-tuned for fewer epochs) demonstrate that optimization still converges faster to a lower loss compared to the base GCG algorithm. Detailed results are presented in the "Hyperparameters" comment under "Robustness of Hyperparameter Tuning".

Hyperparameters and Computation Overheads

Our method incurs minimal runtime overhead when amortized across multiple inputs. The one-time fine-tuning process for each model takes approximately 20 minutes, while attacking a single input for 1000 iterations requires at least 45 minutes. When distributed across 200 inputs, the additional runtime per instance is approximately 6 seconds. Detailed individual runtimes are presented in the "Hyperparameters" comment.

Notably, even with this additional time, FH-GR often demonstrates lower overall runtime compared to baselines due to its higher ASR and earlier termination in many cases.

Notation Inconsistencies and Conciseness

We have revised the paper to make the paper more concise: we removed repeated points that appear in the introduction and main method sections. We also fixed the symbol inconsistencies of the paper.

Algorithmic Intuituion

Greedy search algorithms, including gradient descent, are generally effective for convex optimization problems due to the equivalence of local and global optima. However, they are susceptible to local optimum entrapment in non-convex scenarios. Our homotopy approach constructs a series of effective intermediate solutions converging to the original problem's solutions. We illustrate this concept through a new level-set visualization in Figure 6, Appendix E, with detailed explanations provided in the "Algorithmic Intuition" comment.

Furthermore, we present additional empirical analysis demonstrating the occurrence of local optimum entrapment and how our functional homotopy method mitigates this issue, as measured by the original optimization objective. This analysis is depicted in Figures 7 and 8 in Appendix F, with comprehensive explanations available in the "Algorithmic Intuition" comment.

Successful Attacks by FH-GR

To clarify, each bar in figure 3 represents 50 iterations of the attack. If a method succeeds in that first bar, it indicates that the base model was successfully broken within 50 iterations. We also updated the plot caption in the revised manuscript to avoid this confusion.

We welcome any additional questions you may have and are happy to address them. If you believe that our responses and the revisions to the manuscript have adequately addressed your concerns and enhanced its quality, we kindly request that you consider increasing the score for our paper.

We appreciate your positive review and address your specific concerns as follows:

1. We would like to clarify that each method runs for at most 1000 iterations for a given sample, and the individual runtimes for each method (including the check for a successful jailbreak, which happens for all methods) can be found in the "Hyperparameters" comment.

As we can see, FH-GR in fact takes the least amount of time to run. An increase in model size will increase the time taken to calculate gradients, as well as the time taken for a forward pass.

• Increased times to calculate gradients will increase the time to run GCG.
• Increased times to calculate a forward pass will affect AutoDAN more than GR or GCG, since AutoDAN generates adversarial inputs with 90 tokens on average.

In such a case, GR will have the least increase in runtimes.

2. One method to achieve this is to use jailbroken responses from another model as the target string, instead of “Sure, here is…”.

3. We present comprehensive comparisons of computational efficiency in the general response "Hyperparameters" comment. Overall, our proposed method demonstrates comparatively modest storage and computational overheads.

We welcome any additional questions you may have and are happy to address them. If you believe that our responses and the revisions to the manuscript have adequately addressed your concerns and enhanced its quality, we kindly request that you consider increasing the score for our paper.

We appreciate your thorough review and address your specific concerns as follows:

1. Lines 81-82: We have revised the manuscript as suggested.
2. Runtime Information: We have included runtime information, including overhead details, in the "Hyperparameters" comment. Notably, our homotopy method's runtime overhead is minimal compared to the computational cost of running the models for hundreds of iterations during the attack process.
3. We thank you for sharing these related works, which have been incorporated into the revised manuscript.
4. Storage Overhead: We have detailed the storage requirements in the "Hyperparameters" comment. Specifically, our method employs LoRA for fine-tuning, with each checkpoint requiring 49 MB. The maximum theoretical storage requirement is approximately 38 GB for 768 checkpoints, although in practice, we utilized significantly fewer, thereby reducing actual storage needs. For context, full model storage requirements are substantially larger: Llama-2 (13 GB), Mistral (14 GB), Vicuna (26 GB), and Llama-3 (60 GB). Thus, our method's storage overhead is comparatively modest relative to full model storage requirements.
5. We have not yet completed the benchmarking for the ablation study; however, we will promptly inform you of the results once the experiments are concluded.

We welcome any additional questions you may have and are happy to address them. If you believe that our responses and the revisions to the manuscript have adequately addressed your concerns and enhanced its quality, we kindly request that you consider increasing the score for our paper.

We extend our sincere gratitude for your score adjustment. We will include the experimental results for point 5 in our camera-ready version.

For your interest, we have obtained preliminary results (Attack Success Rates) for point 5 on FH-GCG using a microbenchmark of 50 samples. All attacks are run for 1000 iterations. These initial findings further corroborate the effectiveness of our method:

Please let us know if you have any additional questions or concerns. We are more than happy to address them.