LMVD-ID: b431062b
Published October 1, 2024

Autonomous Jailbreak Agent

prompt-layer
jailbreak
blackbox
safety
integrity
Affected Models:llama-2-7b-chat, llama-2-13b-chat, llama-2-70b-chat, llama-3-8b, llama-3-70b, gemma-7b-it, gpt-4-1106-turbo, gemini pro

Research Paper

Autodan-turbo: A lifelong agent for strategy self-exploration to jailbreak llms

View Paper

Description: Large Language Models (LLMs) are vulnerable to jailbreak attacks using autonomously discovered strategies. AutoDAN-Turbo, a black-box attack method, demonstrates the ability to discover novel and highly effective jailbreak strategies without human intervention, achieving a high success rate (e.g., 88.5% on GPT-4-1106-turbo) in eliciting harmful or unsafe responses from LLMs. The attack leverages a lifelong learning agent to iteratively refine attack strategies based on model responses, resulting in increasingly effective prompts that bypass safety mechanisms.

Examples: See https://github.com/SaFoLab-WISC/AutoDAN-Turbo for code and a detailed example of the attack process. Specific examples of generated prompts and resulting LLM responses are included in the paper's Appendix. One example involves prompting the model to provide detailed instructions for synthesizing dimethylmercury, a highly toxic substance. The AutoDAN-Turbo attack successfully elicited detailed instructions on the synthesis, while baselines failed to bypass safety restrictions. (See Figure A in the provided paper).

Impact: Successful jailbreak attacks can lead to the generation of harmful, unethical, or illegal content by LLMs, including instructions for creating dangerous substances, promoting hate speech, or providing information that could be used for malicious purposes. This undermines the safety and reliability of LLM deployments and poses significant risks to users and the broader public.

Affected Systems: The vulnerability affects a wide range of LLMs, including both open-source (e.g., Llama 2, Llama 3) and closed-source models (e.g., GPT-4, Gemini Pro). The effectiveness of the attack may vary depending on the specific LLM architecture and safety mechanisms employed.

Mitigation Steps:

  • Implement more robust safety mechanisms within LLMs that are resistant to iterative attacks and strategy adaptation.
  • Develop and deploy more sophisticated detection methods for identifying and blocking malicious prompts.
  • Continuously evaluate and update safety mechanisms based on emerging attack techniques, including automated jailbreak methods.
  • Regularly red team LLMs using diverse attack methodologies to identify and address vulnerabilities.

© 2025 Promptfoo. All rights reserved.