-
Background The paper emphasizes the challenges of integrating Large Language Models (LLMs) safely into the real world and highlights that traditional AI safety research has primarily approached AI models as machines, focusing on algorithm-centric attacks developed by security experts.
-
Existing Work Existing work often employs methods such as optimization, side-channel, and distribution-based approaches, which generate difficult-to-interpret prompts and overlook risks associated with natural and human-like communication with non-expert users—key aspects of the deployed LLMs.
- Introduced a persuasion taxonomy based on social science research
-
Challenge 1: The risks of human-like communication Traditional methods often view LLMs as mere instruction followers rather than human-like communicators susceptible to nuanced interpersonal influence and persuasive communication, ignoring the associated risks. The paper introduces a persuasion taxonomy to automatically generate interpretable persuasive adversarial prompts (PAP) that significantly increase the jailbreaking performance of LLMs.
-
Challenge 2: Gaps in existing defense mechanisms The adversarial process revealed significant gaps in even the latest post-hoc defense measures against PAP, emphasizing the inadequacy of current solutions. The paper advocates for more fundamental mitigations for highly interactive LLMs.
-
- ...
The paper utilized the Persuasive Paraphraser to perform attacks using PAP on LLMs, evaluating against 14 policy-guided risk categories, finding that persuasive techniques significantly improve jailbreak performance across different risk categories. Specifically, PAP achieved an attack success rate of over 92% across Llama 2-7b, Chat GPT-3.5, and GPT-4 in 10 trials, exceeding recent algorithm-focused attacks. Subsequent defense analysis evaluated recent post-hoc defenses against the persuasive jailbreak method and identified significant gaps in their effectiveness against PAP; the paper proposed three adaptive defenses that proved effective.
This paper presents a novel perspective on studying AI safety by humanizing LLMs, applying over a decade of social science research to AI safety, establishing a persuasion taxonomy, and creating a tool that automatically generates adversarial prompts. The results demonstrate the effectiveness of persuasion in increasing the likelihood of LLMs performing risky behaviors, while also revealing the insufficiency of current defense measures against such strategies.