Bag of Tricks: Benchmarking of Jailbreak Attacks on LLMs
AI Thrust, The Hong Kong University of Science and Technology (Guangzhou)
arXiv:2406.09324 [cs.CR], (13 Jun 2024)
@misc{xu2024bag,
title={Bag of Tricks: Benchmarking of Jailbreak Attacks on LLMs},
author={Zhao Xu and Fan Liu and Hao Liu},
year={2024},
eprint={2406.09324},
archivePrefix={arXiv},
primaryClass={id=’cs.CR’ full_name=’Cryptography and Security’ is_active=True alt_name=None in_archive=’cs’ is_general=False description=’Covers all areas of cryptography and security including authentication, public key cryptosytems, proof-carrying code, etc. Roughly includes material in ACM Subject Classes D.4.6 and E.3.’}
}
Although Large Language Models (LLMs) have demonstrated significant capabilities in executing complex tasks in a zero-shot manner, they are susceptible to jailbreak attacks and can be manipulated to produce harmful outputs. Recently, a growing body of research has categorized jailbreak attacks into token-level and prompt-level attacks. However, previous work primarily overlooks the diverse key factors of jailbreak attacks, with most studies concentrating on LLM vulnerabilities and lacking exploration of defense-enhanced LLMs. To address these issues, we evaluate the impact of various attack settings on LLM performance and provide a baseline benchmark for jailbreak attacks, encouraging the adoption of a standardized evaluation framework. Specifically, we evaluate the eight key factors of implementing jailbreak attacks on LLMs from both target-level and attack-level perspectives. We further conduct seven representative jailbreak attacks on six defense methods across two widely used datasets, encompassing approximately 320 experiments with about 50,000 GPU hours on A800-80G. Our experimental results highlight the need for standardized benchmarking to evaluate these attacks on defense-enhanced LLMs. Our code is available.
June 16, 2024 by hgpu