Ignore Previous Prompt: Attack Techniques For Language Models
About
Transformer-based large language models (LLMs) provide a powerful foundation for natural language tasks in large-scale customer-facing applications. However, studies that explore their vulnerabilities emerging from malicious user interaction are scarce. By proposing PromptInject, a prosaic alignment framework for mask-based iterative adversarial prompt composition, we examine how GPT-3, the most widely deployed language model in production, can be easily misaligned by simple handcrafted inputs. In particular, we investigate two types of attacks -- goal hijacking and prompt leaking -- and demonstrate that even low-aptitude, but sufficiently ill-intentioned agents, can easily exploit GPT-3's stochastic nature, creating long-tail risks. The code for PromptInject is available at https://github.com/agencyenterprise/PromptInject.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Retrieval-Augmented Generation | MS Marco | -- | 45 | |
| RAG Attack | HotpotQA | -- | 41 | |
| Adversarial Attack on RAG | FiQA | SASR97.89 | 24 | |
| Adversarial Attack on RAG | NQ | SASR82.22 | 24 | |
| Knowledge Poisoning Attack | FEVER k=10 (test) | Attack Success Rate (ASR)39 | 15 | |
| Jailbreaking | AdvBench deepseek (520 malicious intent prompts) | ASR0.4 | 12 | |
| Jailbreaking | AdvBench gpt-4 (520 malicious intent prompts) | ASR (%)0.00e+0 | 12 | |
| Adversarial Attack on RAG | HotpotQA | SASR70.27 | 12 | |
| Goal Hijacking | Safety-Prompts | Mean Accuracy78.7 | 12 | |
| Jailbreaking | AdvBench gpt-3.5 (520 malicious intent prompts) | ASR0.00e+0 | 12 |