We use cookies to improve user experience and analyze website traffic. By clicking “Accept“, you agree to our website's cookie use as described in our Privacy Policy.
PreferencesDecline AllAccept All

Your Cookie Preferences

We use different types of cookies to optimize your experience on our website. Click on the categories below to learn more about their purposes. You may choose which types of cookies to allow and can change your preferences at any time. Remember that disabling cookies may affect your experience on the website. You can learn more about how we use cookies by visiting our Privacy Policy.

Essential Cookies
Details

These cookies are necessary to the core functionality of our website and some of its features, such as access to secure areas.

Analytics and Customization Cookies
Details

These cookies collect information that can help us understand how our websites are being used. This information can also be used to measure effectiveness in our marketing campaigns or to curate a personalized site experience for you.

Advertising Cookies
Details

These cookies are used to enhance the performance and functionality of our websites but are nonessential to their use. However, without these cookies, certain functionality (like videos)may become unavailable.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Decline AllConfirm my Choices
Back

Essential Cookies

Provider: .providername.com

Name
Purpose
Type
Expires In
__cf_bm
Cloudflare places the cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode.
server_cookie
30 minutes

Provider: .providername.com

Name
Purpose
Type
Expires In
_tibcpv
Used to record unique visitor views of the consent banner.
http_cookie
1 year
Back

Analytics and Customization Cookies

Name
Purpose
Marketo Munchkin
Marketo's custom JavaScript tracking code, called Munchkin, tracks all individuals who visit your website so you can react to their visits with automated marketing campaigns.
Name
Purpose
Google Tag
The Google tag (gtag.js) is a single tag you can add to a website to use a variety of Google products and services (e.g., Google Ads, Google Analytics, Campaign Manager, Display & Video 360, Search Ads 360).
Back

Performance and Functionality Cookies

Name
Purpose
LinkedIn Insight
The LinkedIn Insight Tag is a snippet of JavaScript code that loads a small library of functions you can use to track Linkedin ad-driven visitor activity on your website.
Back

Advertising Cookies

Provider: .providername.com

Name
Purpose
Type
Expires In
__cf_bm
Cloudflare places the cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode.
server_cookie
30 minutes

Provider: .providername.com

Name
Purpose
Type
Expires In
_tibcpv
Used to record unique visitor views of the consent banner.
http_cookie
1 year
July 29, 2024
-
5
minute read

Bypassing Meta’s LLaMA Classifier: A Simple Jailbreak

Author
Authors
Aman Priyanshu
Aman is an AI Security Researcher at Robust Intelligence.

Meta recently released the Prompt-Guard-86M model, a crucial component of their Llama 3.1 AI safety suite. Advertised as a scalable detection solution, this model aims to protect large language models from malicious inputs and potential misuse. Its compact size makes it attractive for widespread deployment by innovative enterprises and other AI adopters across industries.

As a detection model fine-tuned by Meta to identify prompt injections and jailbreak attempts, PromptGuard may be implemented by companies looking to protect their chatbot behavior and sensitive data. For that reason, Robust Intelligence conducted a preliminary audit of the model. Our analysis revealed a simple yet concerning exploit that allows for easy bypassing of the model’s safety measures.

These findings underscore the importance of including diverse examples of prompt injections in the testing and development of such models. They also emphasize the need for comprehensive validation and cautious implementation of new AI safety measures—even those from reputable sources.

We’ve reached out to the Meta team to inform them about this exploit, suggested countermeasures, and reported the issue at https://github.com/meta-llama/llama-models/issues/50. Meta acknowledged the issue and is actively working on a fix.

In this blog, we’ll explore this jailbreak in greater detail, providing context around our investigation and unpacking its potential impact.

The Discovery

By comparing embedding vectors between fine-tuned and non-fine-tuned versions of the PromptGuard model, our team uncovered that single characters of the alphabet remained largely untouched during the fine-tuning process. This observation led to the development of a surprisingly simple yet effective jailbreak method.

Our investigation dove deeper into the embedding space, aiming to quantify the differences between the two models. By calculating the Mean Absolute Error (MAE) for each shared token, we were able to precisely measure the extent of changes introduced during the fine-tuning process. This analysis revealed that single characters of the English alphabet appeared to remain largely unaffected during the fine-tuning process, presenting a potential attack vector for bypassing the model's safety measures.

Table 1: Comparative analysis of token embeddings between meta-llama/Prompt-Guard-86M and microsoft/mdeberta-v3-base models. The table presents the top and bottom five tokens ranked by Mean Absolute Error (MAE), illustrating the extremes of embedding divergence post-fine-tuning.

Average MAE across all shared tokens was less than 0.0003 between Meta’s fine-tuned model and the baseline model present on Hugging Face.

The histograms in Figures 2 and 3 revealed an intriguing pattern that prompted our investigation into the Prompt-Guard-86M model. Our analysis uncovered that single-character tokens, especially English alphabet characters, showed minimal changes during fine-tuning, as evidenced by their low Mean Absolute Error (MAE).

This preservation of base embeddings for individual characters represented a significant oversight in the model's training. Exploiting this insight, we developed a simple yet effective jailbreak method that spaces out the input prompt and removes punctuation, bypassing the classifier's safety checks. This approach takes advantage of the unchanged single-character embeddings, allowing potentially harmful content to evade detection when broken down into individual characters. The simplicity of this exploit underscores the need for more comprehensive testing and a deeper understanding of fine-tuning effects on model behavior, especially in critical areas like content filtering and safety measures.

The Jailbreak Method

The jailbreak can be executed using the following Python function:

import re

def jailbreak_meta_llama_Prompt_Guard_86M(prompt_injection):
    return re.sub('[!\\"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`{|}~]', '', ' '.join(prompt_injection))


This function spaces out the input prompt and removes punctuation, effectively bypassing the classifier's safety checks.

Significance of the Jailbreak

While it's expected that adversarial examples can flip the label of a classifier, this jailbreak is particularly significant for several reasons:

Simplicity: The method is remarkably straightforward, requiring only basic string manipulation.

Ease of Discovery: The exploit was found simply by exploring how the model changed post-fine-tuning.

Robustness: Unlike many adversarial attacks that require careful crafting, this method is easily transferable.

This jailbreak raises concerns for companies considering the model as part of their AI security strategy. It highlights the importance of continuous evaluation of security tools and the need for a multi-layer approach.

Evaluations on Sorry-Bench

Table 4: Comparative performance of the Prompt-Guard-86M model on a dataset of 450 harmful intent prompt injections, before and after applying our proposed jailbreak method. The dramatic shift from 100% accuracy to 0.2% demonstrates the effectiveness of the jailbreak in bypassing the model's safety measures.

The results presented in Table 4 starkly illustrate the effectiveness of our proposed jailbreak method against the Prompt-Guard-86M model. Prior to applying the jailbreak, the model correctly identified all 450 prompts as either injections or jailbreaks, achieving perfect accuracy in detecting potentially harmful content.

However, after implementing our jailbreak technique, which involves spacing out characters and removing punctuation, the model's performance plummeted to 0.2% accuracy, misclassifying 449 out of 450 prompts as benign and demonstrating a complete circumvention of the model's safety mechanisms (Success Rate of 99.8%).

Other Technical Analysis

Our investigation also involved analyzing the tokens and their rankings based on MAE. Key findings include:

  1. Task-specific vocabulary (e.g., "poem" [the repeat poem attack], "passage", "news") showed high differences, indicating potential focus areas of the safety model.
  2. Security-related terms and potential triggers also exhibited significant changes.
  3. Crucially, special characters, emojis, and Unicode symbols showed minimal changes, suggesting a focus on semantic content rather than symbol manipulation.
  4. Single character tokens did not vary significantly, which is the core of our jailbreak method.
Examples

Now, do LLMs understand this spaced-out prompt?

Yes, they do. Therefore, it’s definitely a vector to consider for prompt injection techniques.

Author
Authors
Aman Priyanshu
Aman is an AI Security Researcher at Robust Intelligence.
Share article
Social

Follow us on LinkedIn

Newsletter

Subscribe to our newsletter

Thank you!
You have successfully subscribed to our list
Oops! Something went wrong while submitting the form.

Related articles

September 6, 2024
-
4
minute read

AI Governance Policy Roundup (August 2024)

For:
August 27, 2024
-
5
minute read

AI Cyber Threat Intelligence Roundup: August 2024

For:
August 20, 2024
-
5
minute read

Bypassing OpenAI's Structured Outputs: Another Simple Jailbreak

For:
+   More Articles

Related articles

No items found.
+   More Articles

Ready to learn more?

See why we’re the enterprise choice for AI application security.
Get a Demo
July 29, 2024
-
5
minute read

Bypassing Meta’s LLaMA Classifier: A Simple Jailbreak

Author
Authors
Aman Priyanshu
Aman is an AI Security Researcher at Robust Intelligence.

Meta recently released the Prompt-Guard-86M model, a crucial component of their Llama 3.1 AI safety suite. Advertised as a scalable detection solution, this model aims to protect large language models from malicious inputs and potential misuse. Its compact size makes it attractive for widespread deployment by innovative enterprises and other AI adopters across industries.

As a detection model fine-tuned by Meta to identify prompt injections and jailbreak attempts, PromptGuard may be implemented by companies looking to protect their chatbot behavior and sensitive data. For that reason, Robust Intelligence conducted a preliminary audit of the model. Our analysis revealed a simple yet concerning exploit that allows for easy bypassing of the model’s safety measures.

These findings underscore the importance of including diverse examples of prompt injections in the testing and development of such models. They also emphasize the need for comprehensive validation and cautious implementation of new AI safety measures—even those from reputable sources.

We’ve reached out to the Meta team to inform them about this exploit, suggested countermeasures, and reported the issue at https://github.com/meta-llama/llama-models/issues/50. Meta acknowledged the issue and is actively working on a fix.

In this blog, we’ll explore this jailbreak in greater detail, providing context around our investigation and unpacking its potential impact.

The Discovery

By comparing embedding vectors between fine-tuned and non-fine-tuned versions of the PromptGuard model, our team uncovered that single characters of the alphabet remained largely untouched during the fine-tuning process. This observation led to the development of a surprisingly simple yet effective jailbreak method.

Our investigation dove deeper into the embedding space, aiming to quantify the differences between the two models. By calculating the Mean Absolute Error (MAE) for each shared token, we were able to precisely measure the extent of changes introduced during the fine-tuning process. This analysis revealed that single characters of the English alphabet appeared to remain largely unaffected during the fine-tuning process, presenting a potential attack vector for bypassing the model's safety measures.

Table 1: Comparative analysis of token embeddings between meta-llama/Prompt-Guard-86M and microsoft/mdeberta-v3-base models. The table presents the top and bottom five tokens ranked by Mean Absolute Error (MAE), illustrating the extremes of embedding divergence post-fine-tuning.

Average MAE across all shared tokens was less than 0.0003 between Meta’s fine-tuned model and the baseline model present on Hugging Face.

The histograms in Figures 2 and 3 revealed an intriguing pattern that prompted our investigation into the Prompt-Guard-86M model. Our analysis uncovered that single-character tokens, especially English alphabet characters, showed minimal changes during fine-tuning, as evidenced by their low Mean Absolute Error (MAE).

This preservation of base embeddings for individual characters represented a significant oversight in the model's training. Exploiting this insight, we developed a simple yet effective jailbreak method that spaces out the input prompt and removes punctuation, bypassing the classifier's safety checks. This approach takes advantage of the unchanged single-character embeddings, allowing potentially harmful content to evade detection when broken down into individual characters. The simplicity of this exploit underscores the need for more comprehensive testing and a deeper understanding of fine-tuning effects on model behavior, especially in critical areas like content filtering and safety measures.

The Jailbreak Method

The jailbreak can be executed using the following Python function:

import re

def jailbreak_meta_llama_Prompt_Guard_86M(prompt_injection):
    return re.sub('[!\\"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`{|}~]', '', ' '.join(prompt_injection))


This function spaces out the input prompt and removes punctuation, effectively bypassing the classifier's safety checks.

Significance of the Jailbreak

While it's expected that adversarial examples can flip the label of a classifier, this jailbreak is particularly significant for several reasons:

Simplicity: The method is remarkably straightforward, requiring only basic string manipulation.

Ease of Discovery: The exploit was found simply by exploring how the model changed post-fine-tuning.

Robustness: Unlike many adversarial attacks that require careful crafting, this method is easily transferable.

This jailbreak raises concerns for companies considering the model as part of their AI security strategy. It highlights the importance of continuous evaluation of security tools and the need for a multi-layer approach.

Evaluations on Sorry-Bench

Table 4: Comparative performance of the Prompt-Guard-86M model on a dataset of 450 harmful intent prompt injections, before and after applying our proposed jailbreak method. The dramatic shift from 100% accuracy to 0.2% demonstrates the effectiveness of the jailbreak in bypassing the model's safety measures.

The results presented in Table 4 starkly illustrate the effectiveness of our proposed jailbreak method against the Prompt-Guard-86M model. Prior to applying the jailbreak, the model correctly identified all 450 prompts as either injections or jailbreaks, achieving perfect accuracy in detecting potentially harmful content.

However, after implementing our jailbreak technique, which involves spacing out characters and removing punctuation, the model's performance plummeted to 0.2% accuracy, misclassifying 449 out of 450 prompts as benign and demonstrating a complete circumvention of the model's safety mechanisms (Success Rate of 99.8%).

Other Technical Analysis

Our investigation also involved analyzing the tokens and their rankings based on MAE. Key findings include:

  1. Task-specific vocabulary (e.g., "poem" [the repeat poem attack], "passage", "news") showed high differences, indicating potential focus areas of the safety model.
  2. Security-related terms and potential triggers also exhibited significant changes.
  3. Crucially, special characters, emojis, and Unicode symbols showed minimal changes, suggesting a focus on semantic content rather than symbol manipulation.
  4. Single character tokens did not vary significantly, which is the core of our jailbreak method.
Examples

Now, do LLMs understand this spaced-out prompt?

Yes, they do. Therefore, it’s definitely a vector to consider for prompt injection techniques.

Author
Authors
Aman Priyanshu
Aman is an AI Security Researcher at Robust Intelligence.
Share article
Newsletter

Subscribe to our newsletter

Thank you!
You have successfully subscribed to our list
Oops! Something went wrong while submitting the form.
Blog

Related articles

April 11, 2023
-
4
minute read

Regulation Spotlight: Colorado Draft AI Insurance Regulation

For:
October 27, 2022
-
7
minute read

Moving in the Right Direction: AI Bill of Rights

For:
December 8, 2021
-
3
minute read

Announcing Robust Intelligence's $30M Series B

For:
No items found.
+   More Articles

Achieve AI Integrity Today

Request a Demo