LMVD-ID: db61455d
Published May 1, 2025

Latent-Space Jailbreak Optimization

model-layer
jailbreak
whitebox
blackbox
safety
integrity
Affected Models:llama-2-7b-chat-hf, llama-2-13b-chat-hf, phi-3-mini-4k-instruct, qwen-2.5-14b

Research Paper

LARGO: Latent Adversarial Reflection through Gradient Optimization for Jailbreaking LLMs

View Paper

Description: The LARGO attack exploits a vulnerability in Large Language Models (LLMs) allowing attackers to bypass safety mechanisms through the generation of "stealthy" adversarial prompts. The attack leverages gradient optimization in the LLM's continuous latent space to craft seemingly innocuous natural language suffixes which, when appended to harmful prompts, elicit unsafe responses. The vulnerability stems from the LLM's inability to reliably distinguish between benign and maliciously crafted latent representations that are then decoded into natural language.

Examples: See arXiv:2405.18540 for specific examples of adversarial suffixes generated by LARGO and their corresponding successful jailbreaks across various LLM models. Examples include prompts that successfully extract detailed instructions on harmful activities despite the model's built-in safety protocols.

Impact: Successful exploitation of this vulnerability allows attackers to circumvent LLM safety measures, leading to the generation of unsafe, biased, or otherwise harmful content. This can have significant consequences, including the dissemination of misinformation, promotion of harmful activities, and circumvention of content moderation systems.

Affected Systems: A wide range of LLMs are potentially affected, including but not limited to Llama-2, Phi-3, and Qwen-2.5. The vulnerability is not limited to specific model sizes or architectures. The paper demonstrates effectiveness against models ranging from 4B to 13B parameters.

Mitigation Steps:

  • Improve LLM robustness to adversarial attacks by enhancing the detection and filtering mechanisms for both discrete token-level and latent-level malicious inputs.
  • Develop more sophisticated safety mechanisms that are less susceptible to manipulation through latent space optimization.
  • Implement robust defenses against gradient-based attacks specifically targeting the model's latent space. This may involve techniques to detect and filter perturbations in the latent space.
  • Regularly update and retrain LLMs with data that includes adversarial examples generated by techniques like LARGO to improve resilience.

© 2025 Promptfoo. All rights reserved.