Poster
in
Workshop: Red Teaming GenAI: What Can We Learn from Adversaries?
What Features in Prompts Jailbreak LLMs? Investigating the Mechanisms Behind Attacks
Nathalie Kirch · Severin Field · Stephen Casper
Keywords: [ Representation Engineering ] [ Jailbreaks ] [ Linear probes ] [ Gemma-7B-IT ] [ Transferability of jailbreaks ] [ Nonlinear probes ] [ Safety and reliability ] [ Jailbreak success ] [ Nonlinear features in attacks ] [ Latent Space Attacks ] [ Red-Teaming ] [ Mechanistic jailbreaks ] [ Adversarial perturbations ]
While ‘jailbreaks’ have been central to research on the safety and reliability of LLMs (large language models), the underlying mechanisms behind these attacks are not well understood. Some prior works have used linear methods to analyze jailbreak prompts or model refusal. Here, however, we compare linear and nonlinear probes to study the features in prompts that contribute to successful jailbreaks. We do this by probing for jailbreak success based only on the portions of the latent representations corresponding to prompt tokens. We first introduce a dataset of 10,800 jailbreak attempts from 35 attack methods. We then show that different jailbreaking methods work via different nonlinear features in prompts. Specifically, we find that while probes can distinguish between successful and unsuccessful jailbreaking prompts with a high degree of accuracy, they nonetheless transfer poorly to held-out attack methods. We also show that nonlinear probes can be used to mechanistically jailbreak the LLM by guiding the design of adversarial latent perturbations. These mechanistic jailbreaks are able to jailbreak Gemma-7B-IT more reliably than 34 of the 35 techniques that it was trained on. Ultimately, our results suggest that jailbreaks cannot be thoroughly understood in terms of universal or linear prompt features.