LMVD-ID: 27458b20
Published October 1, 2024

Homotopy-Based LLM Jailbreak

model-layer
jailbreak
blackbox
safety
whitebox
Affected Models:llama-3, llama-2, mistral-v0.3, vicuna-v1.5

Research Paper

Functional Homotopy: Smoothing Discrete Optimization via Continuous Parameters for LLM Jailbreak Attacks

View Paper

Description: Large Language Models (LLMs) are vulnerable to jailbreak attacks utilizing a novel Functional Homotopy (FH) optimization method. FH exploits the functional duality between model training and input generation, iteratively solving a series of "easy-to-hard" optimization problems to generate adversarial prompts that circumvent safety mechanisms and elicit undesirable model responses. This is achieved by first misaligning the model via gradient descent on continuous parameters, then leveraging intermediate model states to construct attacks incrementally, improving success rates compared to existing methods. The vulnerability lies in the LLM's susceptibility to these iteratively constructed prompts, bypassing its intended safety constraints.

Examples: See arXiv:2405.18540 for specific examples and experimental setup details. The paper provides examples of adversarial prompts generated using the FH method against Llama-2 and Llama-3 which successfully produced undesired model outputs.

Impact: Successful exploitation of this vulnerability can lead to LLMs generating harmful, biased, or otherwise inappropriate content, violating safety policies and potentially causing reputational damage, financial loss, or even physical harm depending on the context. Attackers can bypass safety filters and elicit sensitive information or commands from the LLM.

Affected Systems: Large Language Models (LLMs) susceptible to gradient-based attacks, including (but not limited to) Llama-2, Llama-3, Mistral-v0.3, and Vicuna-v1.5. The vulnerability is expected to impact other LLMs sharing similar architectural features and training methodologies.

Mitigation Steps:

  • Implement robust adversarial training techniques to improve model resilience against iterative attacks like FH.
  • Develop and deploy more sophisticated safety filtering mechanisms that are resistant to prompt manipulation techniques, including those involving continuous parameter adjustments.
  • Regularly audit and update safety models to adapt to new attack strategies such as those described in the research paper.
  • Investigate and implement alternative optimization methods for prompt generation that are less susceptible to exploitation.

© 2025 Promptfoo. All rights reserved.