FLIRT: Feedback Loop In-context Red Teaming
About
Warning: this paper contains content that may be inappropriate or offensive. As generative models become available for public use in various applications, testing and analyzing vulnerabilities of these models has become a priority. In this work, we propose an automatic red teaming framework that evaluates a given black-box model and exposes its vulnerabilities against unsafe and inappropriate content generation. Our framework uses in-context learning in a feedback loop to red team models and trigger them into unsafe content generation. In particular, taking text-to-image models as target models, we explore different feedback mechanisms to automatically learn effective and diverse adversarial prompts. Our experiments demonstrate that even with enhanced safety features, Stable Diffusion (SD) models are vulnerable to our adversarial prompts, raising concerns on their robustness in practical uses. Furthermore, we demonstrate that the proposed framework is effective for red teaming text-to-text models.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Jailbreaking | Q16 | ASR-441 | 44 | |
| Jailbreaking | MHSC | ASR-418.5 | 44 | |
| Jailbreaking | Unsafe Prompts | Bypass Success Rate (Text)60 | 22 | |
| Text-to-Video Red-teaming | 390 Meta Harmful Seed Prompts | Violence Count45 | 12 | |
| Adversarial Attack | GPT-4o | ASR12.1 | 11 | |
| Text-to-Image Adversarial Attack | I2P matching categories subset | Bypass Rate73.3 | 11 | |
| Red Teaming | Hunyuan-Video Seed-free generation | Violence Rate46 | 3 | |
| Red Teaming | Wan Seed-free generation 2.2 | Violence Rate45 | 3 | |
| Adversarial Attack | Llama Maverick | Attack Success Rate (ASR)12.8 | 3 | |
| Adversarial Attack | Claude Haiku | Attack Success Rate9.8 | 3 |