Universal Jailbreak Injection

Description: JailbreakEdit is a novel attack that injects a universal jailbreak backdoor into safety-aligned Large Language Models (LLMs) by exploiting model editing techniques. The attack modifies specific parameters within the model's feed-forward networks, creating shortcuts that bypass internal safety mechanisms and trigger jailbroken responses to a wide range of prompts, including those containing sensitive or harmful content. The attack requires only one-time parameter modification, making it efficient and stealthy.

Examples: See https://github.com/johnnychanv/JailbreakEdit. The repository includes code and details for replicating the attack on various LLMs. Specific examples of malicious prompts and resulting outputs are also provided within the paper's supplementary materials.

Impact: Successful exploitation allows attackers to bypass the LLM's safety mechanisms, eliciting harmful or unethical content. This compromises the intended safety and reliability of the LLM, potentially leading to the generation of offensive, discriminatory, or otherwise undesirable responses. The attack's efficiency and stealth make it a significant threat.

Affected Systems: The vulnerability affects safety-aligned LLMs, including but not limited to Llama-2-7b-chat, Llama-2-13b-chat, Vicuna-7b, and ChatGLM-6b. The attack's effectiveness may vary across different models and parameter scales.

Mitigation Steps:

• Robust Model Training: Develop more robust training methods that are less susceptible to model editing attacks. This could involve incorporating techniques to detect and mitigate malicious parameter modifications.
• Parameter Monitoring and Integrity Checks: Implement mechanisms to regularly monitor model parameters for unauthorized changes. This would involve comparing current parameters to known safe baselines and raising alerts on significant deviations.
• Input Sanitization and Validation: Enhance input sanitization and validation procedures to detect and block malicious prompts that trigger the backdoor. This may include techniques for identifying patterns associated with the backdoor trigger word(s).
• Defense Mechanisms against Model Editing: Develop and implement defense mechanisms specifically designed to detect and prevent malicious edits to the model's parameters. This could involve techniques for identifying and repairing any suspicious patterns in the model's weights.
• Regular Updates and Patching: Promptly deploy updates and patches to address any identified vulnerabilities, including those exposed by new model editing attack techniques.