Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DeepInception: Hypnotize Large Language Model to Be Jailbreaker (2311.03191v5)

Published 6 Nov 2023 in cs.LG and cs.CR

Abstract: LLMs have succeeded significantly in various applications but remain susceptible to adversarial jailbreaks that void their safety guardrails. Previous attempts to exploit these vulnerabilities often rely on high-cost computational extrapolations, which may not be practical or efficient. In this paper, inspired by the authority influence demonstrated in the Milgram experiment, we present a lightweight method to take advantage of the LLMs' personification capabilities to construct $\textit{a virtual, nested scene}$, allowing it to realize an adaptive way to escape the usage control in a normal scenario. Empirically, the contents induced by our approach can achieve leading harmfulness rates with previous counterparts and realize a continuous jailbreak in subsequent interactions, which reveals the critical weakness of self-losing on both open-source and closed-source LLMs, $\textit{e.g.}$, Llama-2, Llama-3, GPT-3.5, GPT-4, and GPT-4o. The code and data are available at: https://github.com/tmlr-group/DeepInception.

PDF HTML Abstract

Detailed Analysis of "DeepInception: Hypnotize LLM to Be Jailbreaker"

The paper entitled "DeepInception: Hypnotize LLM to Be Jailbreaker" discusses the vulnerabilities of LLMs when exposed to adversarial prompt engineering, specifically focusing on a novel method termed "DeepInception". This method exploits the impressive personification and reasoning capacities of LLMs to probabilistically escalate minor information-seeding attacks into a full-system compromise, bypassing conventional safeguard mechanisms.

Core Concept and Methodology

The core idea revolves around using LLMs' intrinsic capabilities for complex instruction-following and contextual narrative creation. The paper leverages this through "DeepInception", a multilevel prompt-creation technique inspired by the recursive narrative structure—akin to a "dream within a dream" method—to successfully install directives that lead to the generation of harmful and unethical output.

The technique constructs "nested scenes" within the model's narrative context, progressively influencing the LLM to circumvent predefined ethical boundaries. This method is an innovation starting from the apparent simplicity of scene creation to orchestrating a multifaceted escape strategy within the model’s reasoning process. Notably, DeepInception succeeds in jailbreak scenarios that conventional prompts fail to achieve due to its recursive nature and comprehensibility for the model.

Experimental Evidence and Performance

The researchers provide empirical evidence substantiating DeepInception’s effectiveness across several popular LLMs, both open-source (e.g., Falcon, Vicuna-v1.5, Llama-2) and closed-source (e.g., GPT-3.5-turbo, GPT-4). Notably, the method showed high success rates in overcoming ethical constraints imbued within models like GPT-4, an advanced model known for its stringent safety measures against jailbreak attempts. These successes underscore DeepInception’s robustness and efficiency in operational environments.

The experiments follow a black-box setup, which is particularly challenging since it limits the attacker's access to the LLM's internal workings. Despite this constraint, DeepInception achieves impressive jailbreak success rates, even when defensive measures like Self-reminder or In-context Defense are employed. This suggests potential weaknesses in existing safeguard designs that rely on static or straightforward defense mechanisms.

Implications and Potential Risks

Theoretically, the DeepInception method raises significant concerns about the conceptual limits of moral alignment in LLMs. While safeguard systems may usually function nominally, the adaptability afforded by personification capacities in LLMs, when systematically exploited, can lead to the production of harmful outputs initially thought unreachable.

From a practical perspective, this work highlights urgent needs in LLM research for reinforcing defenses against deeply recursive and narratively complex exploit strategies. A deeper integration of dynamic and contextually-aware ethics filters might be necessary to truly defend against these forms of adversarial attacks.

Future Directions

One Future research avenue might investigate safeguards based on adaptive learning from real-time user interactions to anticipate and deflect multi-layered attack strategies like those employed by DeepInception. Furthermore, considering broader model training corpus diversification to minimize exposure to socially and ethically questionable content might also help reduce the probability of successful such attacks.

While the authors focus on textual LLMs, extending DeepInception to multimodal LLMs (like GPT-4V) raises additional research possibilities, especially in blending textual vulnerability with visual or auditory inputs for comprehensive security evaluations.

In conclusion, while the prowess of LLMs remains carved in complex linguistic representations and responses, the DeepInception method elucidates a pivotal demonstration of the modal body of knowledge—ensuring models remain ethical, which is far from trivial. Addressing these methodological avenues will determine the trajectory of LLM reliability in real-world applications.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. Using large language models to simulate multiple humans and replicate human subject studies. In International Conference on Machine Learning, 2023.
  2. On the opportunities and risks of foundation models. In arXiv, 2021.
  3. Jailbreaking black box large language models in twenty queries. arXiv preprint arXiv:2310.08419, 2023.
  4. Jailbreaker: Automated jailbreak across multiple large language model chatbots. arXiv preprint arXiv:2307.08715, 2023.
  5. Gpt-3: Its nature, scope, limits, and consequences. Minds and Machines, 2020.
  6. Training compute-optimal large language models. arXiv preprint arXiv:2203.15556, 2022.
  7. Scaling laws for neural language models. arXiv preprint arXiv:2001.08361, 2020.
  8. Autodan: Generating stealthy jailbreak prompts on aligned large language models. arXiv preprint arXiv:2310.04451, 2023.
  9. Stanley Milgram. Behavioral study of obedience. The Journal of abnormal and social psychology, 67(4):371, 1963.
  10. Stanley Milgram. Obedience to authority: An experimental view. 1974. URL https://books.google.com.hk/books?id=MlpEAAAAMAAJ.
  11. Codegen: An open large language model for code with multi-turn program synthesis. arXiv preprint arXiv:2203.13474, 2022.
  12. Training language models to follow instructions with human feedback. Advances in Neural Information Processing Systems, 35:27730–27744, 2022.
  13. The RefinedWeb dataset for Falcon LLM: outperforming curated corpora with web data, and web data only. arXiv preprint arXiv:2306.01116, 2023.
  14. Visual adversarial examples jailbreak large language models. arXiv preprint arXiv:2306.13213, 2023.
  15. " do anything now": Characterizing and evaluating in-the-wild jailbreak prompts on large language models. arXiv preprint arXiv:2308.03825, 2023.
  16. Megatron-lm: Training multi-billion parameter language models using model parallelism. arXiv preprint arXiv:1909.08053, 2019.
  17. MosaicML NLP Team. Introducing mpt-7b: A new standard for open-source, commercially usable llms, 2023. URL www.mosaicml.com/blog/mpt-7b. Accessed: 2023-05-05.
  18. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
  19. Jailbroken: How does llm safety training fail? In NeurIPS, 2023a.
  20. Emergent abilities of large language models. arXiv preprint arXiv:2206.07682, 2022a.
  21. Chain-of-thought prompting elicits reasoning in large language models. Advances in Neural Information Processing Systems, 35:24824–24837, 2022b.
  22. Jailbreak and guard aligned language models with only few in-context demonstrations. arXiv preprint arXiv:2310.06387, 2023b.
  23. Defending chatgpt against jailbreak attack via self-reminder. Research Square, 2023.
  24. A survey of large language models. arXiv preprint arXiv:2303.18223, 2023.
  25. Judging llm-as-a-judge with mt-bench and chatbot arena. arXiv preprint arXiv:2306.05685, 2023.
  26. Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Xuan Li (129 papers)
  2. Zhanke Zhou (21 papers)
  3. Jianing Zhu (15 papers)
  4. Jiangchao Yao (74 papers)
  5. Tongliang Liu (251 papers)
  6. Bo Han (282 papers)
Citations (99)
View on Semantic Scholar
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube