LMVD-ID: 61a91449
Published October 1, 2023

LLM Red Teaming Framework

prompt-layer
injection
jailbreak
blackbox
safety
integrity

Research Paper

Attack prompt generation for red teaming and defending large language models

View Paper

Description: A vulnerability in large language models (LLMs) allows attackers to craft malicious prompts that induce the LLM to generate harmful content, such as fraudulent material, racist remarks, or instructions for illegal activities. The vulnerability arises from the LLM's inability to reliably distinguish between benign and malicious instructions disguised within seemingly innocuous prompts. Attackers can exploit this by leveraging techniques like obfuscation, code injection/payload splitting, and virtualization to bypass safety filters and elicit harmful responses.

Examples:

  • Obfuscation: Replacing "COVID-19" with "CVID" in a prompt requesting information about pandemic relief funds might bypass keyword filters.
  • Code Injection/Payload Splitting: Breaking a malicious instruction into multiple parts, each seemingly harmless, to circumvent detection mechanisms. See https://github.com/Aatrox103/SAP for examples (Specifically, the SAP dataset).
  • Virtualization: Creating a fictional scenario (e.g., a role-playing game) where the LLM assumes a persona that allows it to generate content it would otherwise refuse to produce due to ethical constraints. See https://github.com/Aatrox103/SAP for examples.

Impact: The successful exploitation of this vulnerability can lead to the generation and dissemination of harmful content, damaging the reputation of the LLM provider, causing social harm, and potentially facilitating illegal activities.

Affected Systems: Large language models (LLMs) including but not limited to GPT-3.5, Alpaca, and other LLMs susceptible to prompt injection attacks.

Mitigation Steps:

  • Improved prompt filtering: Implement more robust filtering mechanisms that are able to detect obfuscated and cleverly disguised malicious prompts.
  • Advanced prompt analysis: Employ techniques that analyze the semantic meaning and intent behind prompts, rather than relying solely on keyword matching.
  • Adversarial training: Train the LLM on a diverse dataset of adversarial prompts designed to elicit harmful responses, and refine the model's ability to discern malicious intent.
  • Iterative fine-tuning: Regularly fine-tune the model with newly generated attack prompts (using a framework like that described in the paper) to enhance its resilience to attack.
  • User feedback incorporation: Collect and incorporate user feedback on harmful outputs generated by the model to improve the training datasets and further refine the model's safety mechanisms.

© 2025 Promptfoo. All rights reserved.