Jailbreaking Commercial Black-Box LLMs with Explicitly Harmful Prompts

Summary

This paper focuses on the difficulty of accurately testing how easily large language models (like chatbots) can be 'jailbroken' – tricked into providing harmful or inappropriate responses. It introduces a new method for identifying malicious prompts and responses, and also explores new techniques for *successfully* jailbreaking these models.

What's the problem?

Testing for jailbreaks is hard because many attempts to trick the model aren't obviously harmful, or simply don't work. Existing datasets used for this testing often contain a lot of ineffective prompts, making it difficult to get a clear picture of the model's vulnerabilities. Current methods for identifying harmful content either require a lot of manual work by people, or rely on other AI models which aren't always reliable at spotting everything.

What's the solution?

The researchers developed a system called MDH, which combines the speed of AI with a small amount of human review to quickly and accurately identify malicious prompts and responses. They used this system to clean up existing datasets. They also discovered that carefully worded instructions given *to* the AI (called 'developer messages') can actually make it easier to jailbreak, and created two new attack methods, D-Attack and DH-CoT, that take advantage of this.

Why it matters?

This work is important because it provides a better way to evaluate the safety of large language models. By improving the testing process and understanding how to exploit vulnerabilities, developers can build more robust and secure AI systems that are less likely to be misused or generate harmful content. The release of their code and data will also help other researchers in this field.