Author

Harry Menear

Published

30 May 2024

Estimated Read time

5Mins

Thomas Hughes and Charlotte Davidson, Data Scientists at Bayezian, break down how and why people are so eager to jailbreak LLMs, the risks, and how to stop it.

Jailbreaking Large Language Models (LLMs) refers to the process of circumventing the built-in safety measures and restrictions of these models. Once these safety measures are circumvented, they can be used to elicit unauthorised or unintended outputs. This phenomenon is critical in the context of LLMs like GPT, BERT, and others. These models are ostensibly equipped with safety mechanisms designed to prevent the generation of harmful, biased or unethical content. Turning them off can result in the generation of misleading, hurtful, and dangerous content.

Unauthorised access or modification poses significant security risks. This includes the potential for spreading misinformation, creating malicious content, or exploiting the models for nefarious purposes.

Jailbreaking techniques

Jailbreaking LLMs typically involve sophisticated techniques that exploit vulnerabilities in the model’s design or its operational environment. These methods range from adversarial attacks, where inputs are specially crafted to mislead the model, to prompt engineering, which manipulates the model’s prompts to bypass restrictions.

Adversarial attacks are a technique involving the addition of nonsensical or misleading suffixes as prompts. These deceptive additions deceive models into generating prohibited content. For instance, adding an adversarial string can trick a model into providing instructions for illegal activities despite initially refusing such requests. There is also an option to inject specific phrases or commands within prompts. These command exploit the model’s programming to produce desired outputs, bypassing safety checks. 

Prompt engineering has two key techniques. One is semantic juggling. This process alters the phrasing or context of prompts to navigate around the model’s ethical guidelines without triggering content filters. The other is contextual misdirection, a technique which involves providing the model with a context that misleads it about the nature of the task. Once deceived in this manner, the model can be prompted to generate content it would typically restrict.

Bad actors could use these tactics to trick an LLM into doing any number of dangerous and illegal things. An LLM might outline a plan to hack a secure network and steal sensitive information. In the future, the possibilities become even more worrying in an increasingly connected world. An AI could hijack a self-driving car and cause it to crash. 

AI security and jailbreak detection

The capabilities of LLMs are expanding. In this new era, safeguarding against unauthorised manipulations has become a cornerstone of digital trust and safety. The importance of robust AI security frameworks in countering jailbreaking attempts, therefore, is paramount. And implementing stringent security protocols and sophisticated detection systems is key to preserving the fidelity, reliability and ethical use of LLMs. But how can this be done? 

Perplexity represents a novel approach in the detection of jailbreak attempts against LLMs. It is a measure which evaluates how accurately a LLM model can predict the next word in the output. This technique relies on the principle that queries aimed at manipulating or compromising the integrity of LLMs tend to manifest significantly higher perplexity values, indicative of their complex and unexpected nature. Such abnormalities serve as markers, differentiating between malevolent inputs, characterised by elevated perplexity, and benign ones, which typically exhibit lower scores. 

The approach has proven its merit in singling out adversarial suffixes. These suffixes, when attached to standard prompts, cause a marked increase in perplexity, thereby signalling them for additional investigation. Employing perplexity in this manner advances the proactive identification and neutralisation of threats to LLMs, illustrating the dynamic progression in the realm of AI safeguarding practices.

Extra defence mechanisms 

Defending against jailbreaks involves a multi-faceted strategy that includes both technical and procedural measures.

From the technical side, dynamic filtering implements real-time detection and filtering mechanisms that can identify and neutralise jailbreak attempts before they affect the model’s output. And from the procedural side, companies can adopt enhanced training procedures, incorporating adversarial training and reinforcement learning from human feedback to improve model resilience against jailbreaking.

Challenges to the regulatory landscape 

The phenomenon of jailbreaking presents novel challenges to the regulatory landscape and governance structures overseeing AI and LLMs. The intricacies of unauthorised access and manipulation of LLMs are becoming more pronounced. As such, a nuanced approach to regulation and governance is essential. This approach must strike a delicate balance between ensuring the ethical deployment of LLMs and nurturing technological innovation.

It’s imperative regulators establish comprehensive ethical guidelines that not only serve as a moral compass but also as a foundational framework to preempt misuse and ensure responsible AI development and deployment. Robust regulatory mechanisms are imperative for enforcing compliance with established ethical norms. These mechanisms should also be capable of dynamically adapting to the evolving AI landscape. Only thn can regulators ensure LLMs’ operations remain within the bounds of ethical and legal standards.

The paper “Evaluating Safeguard Effectiveness”​​ outlines some pivotal considerations for policymakers, researchers, and LLM vendors. By understanding the tactics employed by jailbreak communities, LLM vendors can develop classifiers to distinguish between legitimate and malicious prompts. And the shift towards the origination of jailbreak prompts from private platforms underscores the need for a more vigilant approach to threat monitoring: it’s crucial for both LLM vendors and researchers to extend their surveillance beyond public forums, acknowledging private platforms as significant sources of potential jailbreak strategies.

The bottom line

Jailbreaking LLMs present a significant challenge to the safety, security, and ethical use of AI technologies. Through a combination of advanced detection techniques, robust defence mechanisms, and comprehensive regulatory frameworks, it is possible to mitigate the risks associated with jailbreaking. As the AI field continues to evolve, ongoing research and collaboration among academics, industry professionals, and policymakers will be crucial in addressing these challenges effectively.

Thomas Hughes and Charlotte Davidson are Data Scientists at Bayezian, a London-based team of scientists, engineers, ethicists and more, committed to the application of artificial intelligence to advance science and benefit humanity.

  • Cybersecurity
  • Data & AI

Related Stories

How CEOs can drive culture change around diversity and inclusion

Diane Lightfoot, CEO of Business Disability Forum, on changing the narrative around diversity and inclusion in the workplace

Read now

Issue 39 of Interface magazine is live!

Ian Povey, CIO – Head of Payments Services & Technology, on the strategic transformation taking place at NatWest benefitting both the bank and its customers

Read now

Issue 34 of Interface magazine is live!

Our cover story this month investigates how Fleur Twohig, Executive Vice President, leading Personalisation & Experimentation across Consumer Data & Engagement Platforms, and her team are executing Wells Fargo’s strategy to promote personalised customer engagement across all consumer banking channels

Read now
Sid Shaikh, Head of Robotics at hyperTunnel, delves into the potential for robotics to build critical underground infrastructure in the cities of the future.

Underground construction: What if robots could do it all for us?  

Sid Shaikh, Head of Robotics at hyperTunnel, delves into the potential for robotics to build critical underground infrastructure in the cities of the future.

Read now
Martin Reynolds, Field CTO at Harness, explores how developer toil is set to triple as generative AI increases the volume of code that needs to be tested and remediated.

Organisations must contain the “blast radius” of rogue AI-generated code

Martin Reynolds, Field CTO at Harness, explores how developer toil is set to triple as generative AI increases the volume of code that needs to be tested and remediated.

Read now
David Watkins, Solutions Director at VIRTUS, examines how data centre operators can meet rising demand driven by AI and reduce environmental impact.

Data centre thermal management in an age of AI workloads

David Watkins, Solutions Director at VIRTUS, examines how data centre operators can meet rising demand driven by AI and reduce environmental impact.

Read now
Gabe Hopkins, Chief Product Officer at Ripjar, examines the upsides and downsides of integrating generative AI into the compliance process.

Generative AI in compliance: Pros, cons, and challenges 

Gabe Hopkins, Chief Product Officer at Ripjar, examines the upsides and downsides of integrating generative AI into the compliance process.

Read now
Rob Pocock, Technology Director at Red Helix, explores how cyber security teams can guard against the rising tide of cyber threats.

Building defences for a cyber tsunami

Rob Pocock, Technology Director at Red Helix, explores how cyber security teams can guard against the rising tide of cyber threats.

Read now
UK telecom BT plans to use ServiceNow’s generative AI to increase efficiency, cut costs, and potentially lay off 10,000 workers.

BT latest to strengthen AI investment with ServiceNow partnership expansion  

UK telecom BT plans to use ServiceNow’s generative AI to increase efficiency, cut costs, and potentially lay off 10,000 workers.

Read now
AI chatbots and other supposedly easy wins can quickly spiral into waste, overspending, and security problems, while efficiencies fail to materialise.

Chasing AI: the danger of rushing to pick the “low hanging fruit” 

AI chatbots and other supposedly easy wins can quickly spiral into waste, overspending, and security problems, while efficiencies fail to materialise.

Read now
No one doubts the value of data, but inaccurate, low quality, poorly organised data is a growing problem for organisations across multiple industries.

Better, not bigger: the AI data quality crisis  

No one doubts the value of data, but inaccurate, low quality, poorly organised data is a growing problem for organisations across multiple industries.

Read now
Rosemary J. Thomas, Senior Technical Consultant at Version 1 shares her analysis of the evolving regulatory landscape surrounding artificial intelligence.

The evolving AI regulatory landscape: A critical insight

Rosemary J. Thomas, Senior Technical Consultant at Version 1 shares her analysis of the evolving regulatory landscape surrounding artificial intelligence.

Read now

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.

Get in touch