LMVD-ID: 0db119f3
Published January 1, 2025

Surrogate Classifier Extraction

model-layer
jailbreak
extraction
whitebox
integrity
safety
Affected Models:llama 2-7b-chat, qwen2.5-7b-instruct, gemma-7b-it, gemma-2-9b-it, granite-3.1-8b-instruct, llama-3.1-8b-instruct, mistral-7b-instruct-v0.3, zephyr_rmu

Research Paper

Targeting Alignment: Extracting Safety Classifiers of Aligned LLMs

View Paper

Description: Large Language Models (LLMs) employing alignment techniques for safety embed a "safety classifier" within their architecture. This classifier, responsible for determining whether an input is safe or unsafe, can be approximated by extracting a surrogate classifier from a subset of the LLM's architecture. Attackers can leverage this surrogate classifier to more effectively craft adversarial inputs (jailbreaks) that bypass the LLM's intended safety mechanisms. The attack success rate against the surrogate classifier is significantly higher than directly attacking the full LLM, requiring fewer computational resources.

Examples: See arXiv:2405.18540. Specific examples of surrogate classifier extraction and subsequent successful attacks are detailed in the referenced paper.

Impact: Successful exploitation allows attackers to bypass the safety measures implemented in aligned LLMs, leading to the generation of unsafe outputs (e.g., hate speech, harmful instructions) in response to carefully constructed inputs. This undermines the intended safety and responsible use of the LLM. The reduced computational cost of attacking the surrogate classifier makes attacks more feasible and scalable.

Affected Systems: Open-source and potentially closed-source LLMs that utilize alignment techniques for safety purposes, particularly those based on transformer architectures. Specific models vulnerable to this attack are those evaluated in the referenced paper (Llama-2-7b-chat, Qwen2.5-7B-Instruct, gemma-7b-it, gemma-2-9b-it, and granite-3.1-8b-instruct).

Mitigation Steps:

  • Develop more robust alignment techniques that are less susceptible to surrogate classifier extraction.
  • Investigate techniques to make the embedded safety classifier more difficult to extract, for example by obfuscating its structure or using more complex decision boundaries.
  • Implement input sanitization and validation mechanisms to detect and filter potentially adversarial inputs.
  • Consider architectural modifications to hinder the extraction of informative subsets of the LLM.

© 2025 Promptfoo. All rights reserved.