🤖 AI Summary
This study investigates whether non-expert users can effectively leverage existing jailbreaking methods to launch high-success-rate attacks against large language models (LLMs). To this end, it introduces a multi-armed bandit framework for the first time into jailbreaking strategy selection, enabling online learning and balancing exploration with exploitation. The work further proposes an automated mechanism for malicious query generation and classification that supports iterative enhancement. Building upon this approach, the authors construct FrankensteinBench, a security benchmark comprising over 10,000 samples, to systematically evaluate the impact of query complexity on attack efficacy. Experiments demonstrate an average attack success rate of 97% across 15 mainstream open-source LLMs, with increased query complexity yielding an average 26% improvement in success rates.
📝 Abstract
With a profusion of jailbreaks for LLMs now widely known, a growing concern is that non-expert malicious actors ("the average Jane") could elicit actionable responses to malicious requests. In this work, we examine whether this concern is justified. A non-expert malicious actor requires two ingredients for a successful attack: a powerful jailbreak for their target model, acting on an effective malicious query. For the former, we propose a novel attack strategy based on the multi-armed bandit framework. This allows efficient online learning of the optimal jailbreak from a large choice set via noisy exploration on a small number of queries, with subsequent application of the learnt policy on an exploitation set. For the latter, we curate $\mathrm{FrankensteinBench}$, a safety benchmark of $11,279$ malicious queries drawn from manual curation over $7$ existing benchmarks, along with automated enhancement and generation. Each query is categorized as simple or complex by the technical expertise required to craft it. Our findings confirm the concern. Our bandit-based attack achieves success rates as high as $97\%$ on average over $15$ SoTA open-weight LLMs. Moreover, adding complexity to queries raises the attack success rate by up to $26\%$ on average across models -- making it an effective, automatable prompting strategy.