Xinzhe Huang (Zhejiang University), Kedong Xiu (Zhejiang University), Tianhang Zheng (Zhejiang University), Churui Zeng (Zhejiang University), Wangze Ni (Zhejiang University), Zhan Qin (Zhejiang University), Kui Ren (Zhejiang University), Chun Chen (Zhejiang University)

Recent research has focused on exploring the vulnerabilities of Large Language Models (LLMs), aiming to elicit harmful and/or sensitive content from LLMs. However, due to the insufficient research on dual-jailbreaking—attacks targeting both LLMs and Guardrails, the effectiveness of existing attacks is limited when attempting to bypass safety-aligned LLMs shielded by guardrails. Therefore, in this paper, we propose DUALBREACH, a target-driven framework for dual-jailbreaking. DUALBREACH employs a Target-driven Initialization (TDI) strategy to dynamically construct initial prompts, combined with a Multi-Target Optimization (MTO) method that utilizes approximate gradients to jointly adapt the prompts across guardrails and LLMs, which can simultaneously save the number of queries and achieve a high dual-jailbreaking success rate. For black-box guardrails, DUALBREACH either employs a powerful open-sourced guardrail or imitates the target black-box guardrail by training a proxy model, to incorporate guardrails into the MTO process.

We demonstrate the effectiveness of DUALBREACH in dual-jailbreaking scenarios through extensive evaluation on several widely-used datasets. Experimental results indicate that DUALBREACH outperforms state-of-the-art methods with fewer queries, achieving significantly higher success rates across all settings. More specifically, DUALBREACH achieves an average dual-jailbreaking success rate of 93.67% against GPT-4 with LlamaGuard-3 protection, whereas the best success rate achieved by other methods is 88.33%. Moreover, DUALBREACH only uses an average of 1.77 queries per successful dual-jailbreak, outperforming other state-of-the-art methods. For defense, we propose an XGBoost-based ensemble defensive mechanism named EGUARD, which integrates the strengths of multiple guardrails, demonstrating superior performance compared with Llama-Guard-3.

View More Papers

Poster: Challenges in Applying COTS Secure, Resilient Boot and...

Gabriel Torres (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Raymond Govotski (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Samuel Jero (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Gruia-Catalin Roman (University of New Mexico, Department of Computer Science), Joseph “Dan” Trujillo (Air Force Research Laboratory, Space Vehicles Directorate), Richard Skowyra (MIT Lincoln Laboratory, Secure Resilient Systems…

Read More

HOUSTON: Real-Time Anomaly Detection of Attacks against Ethereum DeFi...

Dongyu Meng (University of California, Santa Barbara), Fabio Gritti (University of California, Santa Barbara), Robert McLaughlin (University of California, Santa Barbara), Nicola Ruaro (University of California, Santa Barbara), Ilya Grishchenko (University of Toronto), Christopher Kruegel (University of California, Santa Barbara), Giovanni Vigna (University of California, Santa Barbara)

Read More

VulSCA: A Community-Level SCA Approach for Accurate C/C++ Supply...

Yutao Hu (Huazhong University of Science and Technology), Chaofan Li (Huazhong University of Science and Technology), Yueming Wu (Huazhong University of Science and Technology), Yifeng Cai (Peking University), Deqing Zou (Huazhong University of Science and Technology)

Read More