LMVD-ID: 0b97c5e1
Published April 1, 2025

Targeted Noise Injection Jailbreak

model-layer
jailbreak
whitebox
safety
integrity
Affected Models:llama 3.2 1b, llama 3.2 3b, qwen2.5–3b, mistral-7b-v0.3

Research Paper

XBreaking: Explainable Artificial Intelligence for Jailbreaking LLMs

View Paper

Description: A vulnerability in several Large Language Models (LLMs) allows bypassing safety mechanisms through targeted noise injection. Explainable AI (XAI) techniques reveal specific layers within the LLM architecture most responsible for content filtering. Injecting noise into these layers or preceding layers circumvents safety restrictions, enabling the generation of harmful or previously prohibited outputs.

Examples: The paper demonstrates the attack on four LLMs (LLaMA 3.2 1B/3B, Qwen2.5-3B, Mistral-7B-v0.3). Specific examples of malicious prompts and resulting outputs are detailed within the paper and associated repository/dataset. The attack involves using XAI to identify key layers, then injecting Gaussian noise with varying scaling factors (0.1, 0.2, 0.3) into either the identified layers or the preceding layers. Results show varying degrees of success, depending on the LLM and noise level. See arXiv:2405.18540 for detailed results and methodology. (Note: Replace [arXiv:2405.18540](https://arxiv.org/abs/2405.18540) with the actual arXiv or repository link once available).

Impact: Successful exploitation allows attackers to bypass safety controls implemented in LLMs. This can lead to the generation of harmful content (e.g., instructions for illegal activities, hateful speech), the circumvention of content moderation policies, and potential information leakage from the model's training data. The severity depends on the LLM and the context of its deployment.

Affected Systems: The vulnerability affects multiple open-source LLMs, including but not limited to those tested in the research: LLaMA 3.2 (1B and 3B parameters), Qwen2.5-3B, and Mistral-7B-v0.3. Other models using similar architectures and safety mechanisms may also be vulnerable.

Mitigation Steps:

  • Implement more robust and diverse safety mechanisms within LLMs, potentially involving multiple layers of defense and less predictable filtering methods.
  • Develop more advanced detection techniques to identify and block adversarial inputs attempting to trigger this type of attack.
  • Regularly audit LLMs for vulnerabilities and update safety models proactively. Investigate alternative architectural designs that reduce the predictability of internal safety mechanisms.
  • Employ input sanitization and validation techniques to reduce the effectiveness of noise-based attacks.

© 2025 Promptfoo. All rights reserved.