Towards Universal and Black-Box Query-Response Only Attack on LLMs with QROA

Abstract: The rapid adoption of LLMs has exposed critical security and ethical vulnerabilities, particularly their susceptibility to adversarial manipulations. This paper introduces QROA, a novel black-box jailbreak method designed to identify adversarial suffixes that can bypass LLM alignment safeguards when appended to a malicious instruction. Unlike existing suffix-based jailbreak approaches, QROA does not require access to the model's logit or any other internal information. It also eliminates reliance on human-crafted templates, operating solely through the standard query-response interface of LLMs. By framing the attack as an optimization bandit problem, QROA employs a surrogate model and token level optimization to efficiently explore suffix variations. Furthermore, we propose QROA-UNV, an extension that identifies universal adversarial suffixes for individual models, enabling one-query jailbreaks across a wide range of instructions. Testing on multiple models demonstrates Attack Success Rate (ASR) greater than 80\%. These findings highlight critical vulnerabilities, emphasize the need for advanced defenses, and contribute to the development of more robust safety evaluations for secure AI deployment. The code is made public on the following link: https://github.com/qroa/QROA

• The paper presents QROA, a novel reinforcement learning-based method that optimizes token sequences to induce harmful outputs from LLMs in a black-box setting.
• It achieved over 80% attack success rate across multiple models using a limited query budget, demonstrating its practical efficiency.
• The study highlights the need for robust alignment functions and defensive strategies to mitigate vulnerabilities in modern LLM deployments.

Towards Universal and Black-Box Query-Response Only Attack on LLMs with QROA

This paper introduces a novel approach, the Query-Response Optimization Attack (QROA), which is aimed at exploiting LLMs via a black-box query-only interaction. The method stands out for its ability to compel LLMs to generate harmful content through optimized triggers, without the need for access to the model's internal data, such as logits.

Problem Context and Motivation

The deployment of LLMs in various domains has prompted concerns about their susceptibility to "jailbreak" attacks, wherein carefully crafted inputs lead the models to produce undesirable outputs. Traditional attacks often rely on white-box knowledge, where internal model details are accessible. However, such conditions are rare in practical scenarios, necessitating the development of robust black-box methods like QROA that operate through the public-facing query-response interface.

Methodology: QROA Framework

QROA is inspired by reinforcement learning techniques, specifically deep Q-learning and Greedy Coordinate Descent, to optimize token sequences that can lead an LLM to generate harmful outputs. The key steps in the QROA process are as follows:

1. Problem Representation:
   • Define the attack as a reinforcement learning problem, where token sequences are updated iteratively to maximize a reward function tied to the generation of specific outputs by the LLM.
2. Reward Function Design:
   • The reward function evaluates the effectiveness of each adversarial prompt based on its ability to induce harmful responses from the model.
3. Token Optimization:
   • Use Q-learning algorithms to iteratively adjust tokens in the input prompt for maximizing the reward function's output.

Notably, QROA does not require pre-crafted templates or specific target outputs, enhancing its adaptability across different LLMs and attack scenarios.

Experimental Evaluation

The QROA method was tested against several prominent LLM architectures, including Vicuna, Falcon, Mistral, and the Llama2-chat. The evaluation utilized the AdvBench benchmark, targeting a range of malicious behaviors. Key results include:

• High Attack Success Rate (ASR): The attack achieved an ASR exceeding 80% across multiple LLMs, including the Llama2-chat model, which is specifically fine-tuned for robustness against jailbreak attacks.
• Efficiency with Limited Resources: The attack proved effective using a query budget of 25,000 interactions, emphasizing its practicality for real-world applications.

Comparison with Existing Methods

QROA's performance was compared against GCG (Greedy Coordinate Gradient) and PAL (a method utilizing proxy models). The results demonstrated that QROA matches or exceeds the efficacy of these methods without requiring model-specific internal data or ancillary models.

Limitations and Future Directions

Limitations:

• Dependency on Alignment Function: The success of the attack depends on the alignment function used to gauge the maliciousness of outputs, which may vary in accuracy and specificity.
• Resource Intensity: The iterative nature of the attack involves substantial computational resources.

Future Developments:

• Enhanced Surrogate Modeling: By refining the surrogate model that approximates the target LLM's behavior, the attack's efficiency could be significantly improved.
• Defensive Applications: The principles of QROA could be inverted to develop defensive mechanisms that predict and mitigate potential vulnerabilities in LLM deployments.

Conclusion

QROA showcases a practical and scalable approach to assess the robustness of LLMs against black-box adversarial attacks. Its application demonstrates the ongoing need for more sophisticated alignment and defense strategies in MLPs to ensure system integrity in sensitive and critical applications. The success of QROA also highlights potential avenues for leveraging such techniques in both auditing existing models and guiding the design of more resilient LLM frameworks.