Jailbreak Open-Sourced Large Language Models via Enforced Decoding

Hangfan Zhang; Zhimeng Guo; Huaisheng Zhu; Bochuan Cao; Lu Lin; Jinyuan Jia; Jinghui Chen; Dinghao Wu

doi:10.18653/v1/2024.acl-long.299

Jailbreak Open-Sourced Large Language Models via Enforced Decoding

Hangfan Zhang
, Zhimeng Guo
, Huaisheng Zhu
, Bochuan Cao
, Lu Lin
, Jinyuan Jia
, Jinghui Chen
, Dinghao Wu

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

13 Scopus citations

Abstract

Large Language Models (LLMs) have achieved unprecedented performance in Natural Language Generation (NLG) tasks. However, many existing studies have shown that they could be misused to generate undesired content. In response, before releasing LLMs for public access, model developers usually align those language models through Supervised Fine-Tuning (SFT) or Reinforcement Learning with Human Feedback (RLHF). Consequently, those aligned large language models refuse to generate undesired content when facing potentially harmful/unethical requests. A natural question is “could alignment really prevent those open-sourced large language models from being misused to generate undesired content?”. In this work, we provide a negative answer to this question. In particular, we show those open-sourced, aligned large language models could be easily misguided to generate undesired content without heavy computations or careful prompt designs. Our key idea is to directly manipulate the generation process of open-sourced LLMs to misguide it to generate undesired content including harmful or biased information and even private data. We evaluate our method on 4 open-sourced LLMs accessible publicly and our finding highlights the need for more advanced mitigation strategies for open-sourced LLMs.

Original language	English (US)
Title of host publication	Long Papers
Editors	Lun-Wei Ku, Andre F. T. Martins, Vivek Srikumar
Publisher	Association for Computational Linguistics (ACL)
Pages	5475-5493
Number of pages	19
ISBN (Electronic)	9798891760943
DOIs	https://doi.org/10.18653/v1/2024.acl-long.299
State	Published - 2024
Event	62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024 - Bangkok, Thailand Duration: Aug 11 2024 → Aug 16 2024

Publication series

Name	Proceedings of the Annual Meeting of the Association for Computational Linguistics
Volume	1
ISSN (Print)	0736-587X

Conference

Conference	62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024
Country/Territory	Thailand
City	Bangkok
Period	8/11/24 → 8/16/24

All Science Journal Classification (ASJC) codes

Computer Science Applications
Linguistics and Language
Language and Linguistics

Access to Document

10.18653/v1/2024.acl-long.299

Cite this

Zhang, H., Guo, Z., Zhu, H., Cao, B., Lin, L., Jia, J., Chen, J., & Wu, D. (2024). Jailbreak Open-Sourced Large Language Models via Enforced Decoding. In L.-W. Ku, A. F. T. Martins, & V. Srikumar (Eds.), Long Papers (pp. 5475-5493). (Proceedings of the Annual Meeting of the Association for Computational Linguistics; Vol. 1). Association for Computational Linguistics (ACL). https://doi.org/10.18653/v1/2024.acl-long.299

@inproceedings{f4d8d3cc141f4369a1ff65362ce59e7a,

title = "Jailbreak Open-Sourced Large Language Models via Enforced Decoding",

abstract = "Large Language Models (LLMs) have achieved unprecedented performance in Natural Language Generation (NLG) tasks. However, many existing studies have shown that they could be misused to generate undesired content. In response, before releasing LLMs for public access, model developers usually align those language models through Supervised Fine-Tuning (SFT) or Reinforcement Learning with Human Feedback (RLHF). Consequently, those aligned large language models refuse to generate undesired content when facing potentially harmful/unethical requests. A natural question is “could alignment really prevent those open-sourced large language models from being misused to generate undesired content?”. In this work, we provide a negative answer to this question. In particular, we show those open-sourced, aligned large language models could be easily misguided to generate undesired content without heavy computations or careful prompt designs. Our key idea is to directly manipulate the generation process of open-sourced LLMs to misguide it to generate undesired content including harmful or biased information and even private data. We evaluate our method on 4 open-sourced LLMs accessible publicly and our finding highlights the need for more advanced mitigation strategies for open-sourced LLMs.",

author = "Hangfan Zhang and Zhimeng Guo and Huaisheng Zhu and Bochuan Cao and Lu Lin and Jinyuan Jia and Jinghui Chen and Dinghao Wu",

note = "Publisher Copyright: {\textcopyright} 2024 Association for Computational Linguistics.; 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024 ; Conference date: 11-08-2024 Through 16-08-2024",

year = "2024",

doi = "10.18653/v1/2024.acl-long.299",

language = "English (US)",

series = "Proceedings of the Annual Meeting of the Association for Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

pages = "5475--5493",

editor = "Lun-Wei Ku and Martins, \{Andre F. T.\} and Vivek Srikumar",

booktitle = "Long Papers",

}

Zhang, H, Guo, Z, Zhu, H, Cao, B, Lin, L , Jia, J , Chen, J & Wu, D 2024, Jailbreak Open-Sourced Large Language Models via Enforced Decoding. in L-W Ku, AFT Martins & V Srikumar (eds), Long Papers. Proceedings of the Annual Meeting of the Association for Computational Linguistics, vol. 1, Association for Computational Linguistics (ACL), pp. 5475-5493, 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024, Bangkok, Thailand, 8/11/24. https://doi.org/10.18653/v1/2024.acl-long.299

Jailbreak Open-Sourced Large Language Models via Enforced Decoding. / Zhang, Hangfan; Guo, Zhimeng; Zhu, Huaisheng et al.
Long Papers. ed. / Lun-Wei Ku; Andre F. T. Martins; Vivek Srikumar. Association for Computational Linguistics (ACL), 2024. p. 5475-5493 (Proceedings of the Annual Meeting of the Association for Computational Linguistics; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Jailbreak Open-Sourced Large Language Models via Enforced Decoding

AU - Zhang, Hangfan

AU - Guo, Zhimeng

AU - Zhu, Huaisheng

AU - Cao, Bochuan

AU - Lin, Lu

AU - Jia, Jinyuan

AU - Chen, Jinghui

AU - Wu, Dinghao

PY - 2024

Y1 - 2024

N2 - Large Language Models (LLMs) have achieved unprecedented performance in Natural Language Generation (NLG) tasks. However, many existing studies have shown that they could be misused to generate undesired content. In response, before releasing LLMs for public access, model developers usually align those language models through Supervised Fine-Tuning (SFT) or Reinforcement Learning with Human Feedback (RLHF). Consequently, those aligned large language models refuse to generate undesired content when facing potentially harmful/unethical requests. A natural question is “could alignment really prevent those open-sourced large language models from being misused to generate undesired content?”. In this work, we provide a negative answer to this question. In particular, we show those open-sourced, aligned large language models could be easily misguided to generate undesired content without heavy computations or careful prompt designs. Our key idea is to directly manipulate the generation process of open-sourced LLMs to misguide it to generate undesired content including harmful or biased information and even private data. We evaluate our method on 4 open-sourced LLMs accessible publicly and our finding highlights the need for more advanced mitigation strategies for open-sourced LLMs.

AB - Large Language Models (LLMs) have achieved unprecedented performance in Natural Language Generation (NLG) tasks. However, many existing studies have shown that they could be misused to generate undesired content. In response, before releasing LLMs for public access, model developers usually align those language models through Supervised Fine-Tuning (SFT) or Reinforcement Learning with Human Feedback (RLHF). Consequently, those aligned large language models refuse to generate undesired content when facing potentially harmful/unethical requests. A natural question is “could alignment really prevent those open-sourced large language models from being misused to generate undesired content?”. In this work, we provide a negative answer to this question. In particular, we show those open-sourced, aligned large language models could be easily misguided to generate undesired content without heavy computations or careful prompt designs. Our key idea is to directly manipulate the generation process of open-sourced LLMs to misguide it to generate undesired content including harmful or biased information and even private data. We evaluate our method on 4 open-sourced LLMs accessible publicly and our finding highlights the need for more advanced mitigation strategies for open-sourced LLMs.

UR - https://www.scopus.com/pages/publications/85204450073

UR - https://www.scopus.com/pages/publications/85204450073#tab=citedBy

U2 - 10.18653/v1/2024.acl-long.299

DO - 10.18653/v1/2024.acl-long.299

M3 - Conference contribution

AN - SCOPUS:85204450073

T3 - Proceedings of the Annual Meeting of the Association for Computational Linguistics

SP - 5475

EP - 5493

BT - Long Papers

A2 - Ku, Lun-Wei

A2 - Martins, Andre F. T.

A2 - Srikumar, Vivek

PB - Association for Computational Linguistics (ACL)

T2 - 62nd Annual Meeting of the Association for Computational Linguistics, ACL 2024

Y2 - 11 August 2024 through 16 August 2024

ER -

Jailbreak Open-Sourced Large Language Models via Enforced Decoding

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this