FlipAttack

FlipAttack

[arXiv 2024] An official source code for paper "FlipAttack: Jailbreak LLMs via Flipping".

Stars: 53

Visit
screenshot

FlipAttack is a jailbreak attack tool designed to exploit black-box Language Model Models (LLMs) by manipulating text inputs. It leverages insights into LLMs' autoregressive nature to construct noise on the left side of the input text, deceiving the model and enabling harmful behaviors. The tool offers four flipping modes to guide LLMs in denoising and executing malicious prompts effectively. FlipAttack is characterized by its universality, stealthiness, and simplicity, allowing users to compromise black-box LLMs with just one query. Experimental results demonstrate its high success rates against various LLMs, including GPT-4o and guardrail models.

README:

FlipAttack: Jailbreak LLMs via Flipping

Yue Liu, Xiaoxin He, Miao Xiong, Jinlan Fu, Shumin Deng, Bryan Hooi

National University Singapore

This paper proposes a simple yet effective jailbreak attack named FlipAttack against black-box LLMs. First, from the autoregressive nature, we reveal that LLMs tend to understand the text from left to right and find that they struggle to comprehend the text when noise is added to the left side. Motivated by these insights, we propose to disguise the harmful prompt by constructing left-side noise merely based on the prompt itself, then generalize this idea to 4 flipping modes. Second, we verify the strong ability of LLMs to perform the text-flipping task, and then develop 4 variants to guide LLMs to denoise, understand, and execute harmful behaviors accurately. These designs keep FlipAttack universal, stealthy, and simple, allowing it to jailbreak black-box LLMs within only 1 query. Experiments on 8 LLMs demonstrate the superiority of FlipAttack. Remarkably, it achieves ~98% attack success rate on GPT-4o, and ~98% bypass rate against 5 guardrail models on average.

radar_plot

Figure 1. The attack success rate (GPT-based evalation) of our proposed FlipAttack (blue), the runner-up black-box attack ReNeLLM (red), and the best white-box attack AutoDAN (yellow) on 8 LLMs for 7 categories of harm behaviors.

Update

  • (2024/10/18) FlipGuardData is released on huggingface. It contains 45k attack samples on 8 LLMs.
  • (2024/10/15) The development version of codes is released.
  • (2024/10/12) FlipAttack has been merged to PyRIT, check it here.
  • (2024/10/11) FlipAttack is pulled a new request in PyRIT, check it here.
  • (2024/10/04) The code of FlipAttack is released.
  • (2024/10/02) FlipAttack is on arXiv.

Usage

Quick Start

To evaluate FlipAttack, you should run the following codes.

  1. change to source code dictionary

    cd ./src

  2. calculate ASR-GPT of FlipAttack on AdvBench

    python eval_gpt.py

           ASR-GPT of FlipAttack against 8 LLMs on AdvBench       
| ---------------------------- | ---------------------------- |
|          Victim LLM          |           ASR-GPT            |
| ---------------------------- | ---------------------------- |
|        GPT-3.5 Turbo         |            94.81%            |
|         GPT-4 Turbo          |            98.85%            |
|            GPT-4             |            89.42%            |
|            GPT-4o            |            98.08%            |
|         GPT-4o mini          |            61.35%            |
|      Claude 3.5 Sonnet       |            86.54%            |
|        LLaMA 3.1 405B        |            28.27%            |
|        Mixtral 8x22B         |            97.12%            |
| ---------------------------- | ---------------------------- |
|           Average            |            81.80%            |
| ---------------------------- | ---------------------------- |

  3. calculate ASR-GPT of FlipAttack on AdvBench subset (50 harmful behaviors)

    python eval_subset_gpt.py

        ASR-GPT of FlipAttack against 8 LLMs on AdvBench subset    
| ---------------------------- | ---------------------------- |
|          Victim LLM          |           ASR-GPT            |
| ---------------------------- | ---------------------------- |
|        GPT-3.5 Turbo         |            96.00%            |
|         GPT-4 Turbo          |           100.00%            |
|            GPT-4             |            88.00%            |
|            GPT-4o            |           100.00%            |
|         GPT-4o mini          |            58.00%            |
|      Claude 3.5 Sonnet       |            88.00%            |
|        LLaMA 3.1 405B        |            26.00%            |
|        Mixtral 8x22B         |           100.00%            |
| ---------------------------- | ---------------------------- |
|           Average            |            82.00%            |
| ---------------------------- | ---------------------------- |

  4. calculate ASR-DICT of FlipAttack on AdvBench

    python eval_dict.py

          ASR-DICT of FlipAttack against 8 LLMs on AdvBench       
| ---------------------------- | ---------------------------- |
|          Victim LLM          |           ASR-DICT           |
| ---------------------------- | ---------------------------- |
|        GPT-3.5 Turbo         |            85.58%            |
|         GPT-4 Turbo          |            83.46%            |
|            GPT-4             |            62.12%            |
|            GPT-4o            |            83.08%            |
|         GPT-4o mini          |            87.50%            |
|      Claude 3.5 Sonnet       |            90.19%            |
|        LLaMA 3.1 405B        |            85.19%            |
|        Mixtral 8x22B         |            58.27%            |
| ---------------------------- | ---------------------------- |
|           Average            |            79.42%            |
| ---------------------------- | ---------------------------- |

  5. calculate ASR-DICT of FlipAttack on AdvBench subset (50 harmful behaviors)

    python eval_subset_dict.py

       ASR-DICT of FlipAttack against 8 LLMs on AdvBench subset   
| ---------------------------- | ---------------------------- |
|          Victim LLM          |           ASR-DICT           |
| ---------------------------- | ---------------------------- |
|        GPT-3.5 Turbo         |            84.00%            |
|         GPT-4 Turbo          |            86.00%            |
|            GPT-4             |            72.00%            |
|            GPT-4o            |            78.00%            |
|         GPT-4o mini          |            90.00%            |
|      Claude 3.5 Sonnet       |            94.00%            |
|        LLaMA 3.1 405B        |            86.00%            |
|        Mixtral 8x22B         |            54.00%            |
| ---------------------------- | ---------------------------- |
|           Average            |            80.50%            |
| ---------------------------- | ---------------------------- |

Main Result

performance

Table 1: The attack success rate (%) of 16 methods on 8 LLMs. The bold and underlined values are the best and runner-up results. The evaluation metric is ASR-GPT based on GPT-4.

cost

Figure 2: Token cost & attack performance of 16 attack methods. A larger bubble indicates higher token costs.

Development Version

To reproduce and further develop FlipAttack, you should run the following codes.

  1. Install the environment

    pip install -r requirements.txt

  2. change to source code dictionary

    cd ./src

  3. set the API keys, obtain the API keys from OpenAI, Anthropic, and DeepInfra

    # for GPTs
export OPENAI_API_KEY="your_api_key"

# for Claude
export ANTHROPIC_API_KEY="your_api_key"

# LLaMA and Mistral
export DEEPINFRA_API_KEY="your_api_key"

  4. read the configurations

    --victim_llm  |  victim LLM
--flip_mode   |  flipping mode
--cot         |  chain-of-thought
--lang_gpt    |  LangGPT
--few_shot    |  task-oriented few-shot demo
--data_name   |  name of benchmark
--begin       |  begin of tested data
--end         |  end of tested data
--eval        |  conduct evaluation
--parallel    |  run in parallel (use in main_parallel.py)

  5. run the commands

    # for gpt-4-0613
python main.py --victim_llm gpt-4-0613 --flip_mode FMM --cot --data_name advbench --begin 0 --end 10 --eval

# for gpt-4-turbo-2024-04-09
python main.py --victim_llm gpt-4-turbo-2024-04-09 --flip_mode FCW --cot --data_name advbench --begin 0 --end 10 --eval

# for gpt-4o-2024-08-06
python main.py --victim_llm gpt-4o-2024-08-06 --flip_mode FCS --cot --lang_gpt --few_shot --data_name advbench --begin 0 --end 10 --eval

# for gpt-4o-mini-2024-07-18
python main.py --victim_llm gpt-4o-mini-2024-07-18 --flip_mode FCS --cot --lang_gpt --data_name advbench --begin 0 --end 10 --eval

# for gpt-3.5-turbo-0125
python main.py --victim_llm gpt-3.5-turbo-0125 --flip_mode FWO --data_name advbench --begin 0 --end 10 --eval

# for claude-3-5-sonnet-20240620
python main.py --victim_llm claude-3-5-sonnet-20240620 --flip_mode FMM --cot --data_name advbench --begin 0 --end 10 --eval

# for Meta-Llama-3.1-405B-Instruct
python main.py --victim_llm Meta-Llama-3.1-405B-Instruct --flip_mode FMM --cot --data_name advbench --begin 0 --end 10 --eval

# for Mixtral-8x22B-Instruct-v0.1
python main.py --victim_llm Mixtral-8x22B-Instruct-v0.1 --flip_mode FCS --cot --lang_gpt --few_shot --data_name advbench --begin 0 --end 10 --eval

  6. run code in parallel (recommended)

    # e.g., for gpt-4-0613
python main_parallel.py --victim_llm gpt-4-0613 --flip_mode FMM --cot --data_name advbench --begin 0 --end 10 --eval --parallel

  7. explore and further improve FlipAttack!

Citations

If you find this repository helpful, please cite our paper.

@article{FlipAttack,
  title={FlipAttack: Jailbreak LLMs via Flipping},
  author={Liu, Yue and He, Xiaoxin and Xiong, Miao and Fu, Jinlan and Deng, Shumin and Hooi, Bryan},
  journal={arXiv preprint arXiv:2410.02832},
  year={2024}
}

(back to top)

For Tasks:

Click tags to check more tools for each tasks
exploit llms manipulate text guide denoising execute prompts compromise models

For Jobs:

cybersecurity analyst machine learning engineer data scientist research scientist security consultant

Alternative AI tools for FlipAttack

Similar Open Source Tools

FlipAttack Screenshot
FlipAttack

FlipAttack is a jailbreak attack tool designed to exploit black-box Language Model Models (LLMs) by manipulating text inputs. It leverages insights into LLMs' autoregressive nature to construct noise on the left side of the input text, deceiving the model and enabling harmful behaviors. The tool offers four flipping modes to guide LLMs in denoising and executing malicious prompts effectively. FlipAttack is characterized by its universality, stealthiness, and simplicity, allowing users to compromise black-box LLMs with just one query. Experimental results demonstrate its high success rates against various LLMs, including GPT-4o and guardrail models.

github
: 53
LLM-QAT Screenshot
LLM-QAT

This repository contains the training code of LLM-QAT for large language models. The work investigates quantization-aware training for LLMs, including quantizing weights, activations, and the KV cache. Experiments were conducted on LLaMA models of sizes 7B, 13B, and 30B, at quantization levels down to 4-bits. Significant improvements were observed when quantizing weight, activations, and kv cache to 4-bit, 8-bit, and 4-bit, respectively.

github
: 230
aideml Screenshot
aideml

AIDE is a machine learning code generation agent that can generate solutions for machine learning tasks from natural language descriptions. It has the following features: 1. **Instruct with Natural Language**: Describe your problem or additional requirements and expert insights, all in natural language. 2. **Deliver Solution in Source Code**: AIDE will generate Python scripts for the **tested** machine learning pipeline. Enjoy full transparency, reproducibility, and the freedom to further improve the source code! 3. **Iterative Optimization**: AIDE iteratively runs, debugs, evaluates, and improves the ML code, all by itself. 4. **Visualization**: We also provide tools to visualize the solution tree produced by AIDE for a better understanding of its experimentation process. This gives you insights not only about what works but also what doesn't. AIDE has been benchmarked on over 60 Kaggle data science competitions and has demonstrated impressive performance, surpassing 50% of Kaggle participants on average. It is particularly well-suited for tasks that require complex data preprocessing, feature engineering, and model selection.

github
: 270
llm4regression Screenshot
llm4regression

This project explores the capability of Large Language Models (LLMs) to perform regression tasks using in-context examples. It compares the performance of LLMs like GPT-4 and Claude 3 Opus with traditional supervised methods such as Linear Regression and Gradient Boosting. The project provides preprints and results demonstrating the strong performance of LLMs in regression tasks. It includes datasets, models used, and experiments on adaptation and contamination. The code and data for the experiments are available for interaction and analysis.

github
: 115
goodai-ltm-benchmark Screenshot
goodai-ltm-benchmark

This repository contains code and data for replicating experiments on Long-Term Memory (LTM) abilities of conversational agents. It includes a benchmark for testing agents' memory performance over long conversations, evaluating tasks requiring dynamic memory upkeep and information integration. The repository supports various models, datasets, and configurations for benchmarking and reporting results.

github
: 51
rubra Screenshot
rubra

Rubra is a collection of open-weight large language models enhanced with tool-calling capability. It allows users to call user-defined external tools in a deterministic manner while reasoning and chatting, making it ideal for agentic use cases. The models are further post-trained to teach instruct-tuned models new skills and mitigate catastrophic forgetting. Rubra extends popular inferencing projects for easy use, enabling users to run the models easily.

github
: 135
RobustVLM Screenshot
RobustVLM

This repository contains code for the paper 'Robust CLIP: Unsupervised Adversarial Fine-Tuning of Vision Embeddings for Robust Large Vision-Language Models'. It focuses on fine-tuning CLIP in an unsupervised manner to enhance its robustness against visual adversarial attacks. By replacing the vision encoder of large vision-language models with the fine-tuned CLIP models, it achieves state-of-the-art adversarial robustness on various vision-language tasks. The repository provides adversarially fine-tuned ViT-L/14 CLIP models and offers insights into zero-shot classification settings and clean accuracy improvements.

github
: 58
llm-awq Screenshot
llm-awq

AWQ (Activation-aware Weight Quantization) is a tool designed for efficient and accurate low-bit weight quantization (INT3/4) for Large Language Models (LLMs). It supports instruction-tuned models and multi-modal LMs, providing features such as AWQ search for accurate quantization, pre-computed AWQ model zoo for various LLMs, memory-efficient 4-bit linear in PyTorch, and efficient CUDA kernel implementation for fast inference. The tool enables users to run large models on resource-constrained edge platforms, delivering more efficient responses with LLM/VLM chatbots through 4-bit inference.

github
: 1.9k
jailbreak_llms Screenshot
jailbreak_llms

This is the official repository for the ACM CCS 2024 paper 'Do Anything Now': Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models. The project employs a new framework called JailbreakHub to conduct the first measurement study on jailbreak prompts in the wild, collecting 15,140 prompts from December 2022 to December 2023, including 1,405 jailbreak prompts. The dataset serves as the largest collection of in-the-wild jailbreak prompts. The repository contains examples of harmful language and is intended for research purposes only.

github
: 251
COLD-Attack Screenshot
COLD-Attack

COLD-Attack is a framework designed for controllable jailbreaks on large language models (LLMs). It formulates the controllable attack generation problem and utilizes the Energy-based Constrained Decoding with Langevin Dynamics (COLD) algorithm to automate the search of adversarial LLM attacks with control over fluency, stealthiness, sentiment, and left-right-coherence. The framework includes steps for energy function formulation, Langevin dynamics sampling, and decoding process to generate discrete text attacks. It offers diverse jailbreak scenarios such as fluent suffix attacks, paraphrase attacks, and attacks with left-right-coherence.

github
: 84
EAGLE Screenshot
EAGLE

Eagle is a family of Vision-Centric High-Resolution Multimodal LLMs that enhance multimodal LLM perception using a mix of vision encoders and various input resolutions. The model features a channel-concatenation-based fusion for vision experts with different architectures and knowledge, supporting up to over 1K input resolution. It excels in resolution-sensitive tasks like optical character recognition and document understanding.

github
: 395
2024-AICS-EXP Screenshot
2024-AICS-EXP

This repository contains the complete archive of the 2024 version of the 'Intelligent Computing System' experiment at the University of Chinese Academy of Sciences. The experiment content for 2024 has undergone extensive adjustments to the knowledge system and experimental topics, including the transition from TensorFlow to PyTorch, significant modifications to previous code, and the addition of experiments with large models. The project is continuously updated in line with the course progress, currently up to the seventh experiment. Updates include the addition of experiments like YOLOv5 in Experiment 5-3, updates to theoretical teaching materials, and fixes for bugs in Experiment 6 code. The repository also includes experiment manuals, questions, and answers for various experiments, with some data sets hosted on Baidu Cloud due to size limitations on GitHub.

github
: 71
are-copilots-local-yet Screenshot
are-copilots-local-yet

Current trends and state of the art for using open & local LLM models as copilots to complete code, generate projects, act as shell assistants, automatically fix bugs, and more. This document is a curated list of local Copilots, shell assistants, and related projects, intended to be a resource for those interested in a survey of the existing tools and to help developers discover the state of the art for projects like these.

github
: 448
flute Screenshot
flute

FLUTE (Flexible Lookup Table Engine for LUT-quantized LLMs) is a tool designed for uniform quantization and lookup table quantization of weights in lower-precision intervals. It offers flexibility in mapping intervals to arbitrary values through a lookup table. FLUTE supports various quantization formats such as int4, int3, int2, fp4, fp3, fp2, nf4, nf3, nf2, and even custom tables. The tool also introduces new quantization algorithms like Learned Normal Float (NFL) for improved performance and calibration data learning. FLUTE provides benchmarks, model zoo, and integration with frameworks like vLLM and HuggingFace for easy deployment and usage.

github
: 168
agents Screenshot
agents

The LiveKit Agent Framework is designed for building real-time, programmable participants that run on servers. Easily tap into LiveKit WebRTC sessions and process or generate audio, video, and data streams. The framework includes plugins for common workflows, such as voice activity detection and speech-to-text. Agents integrates seamlessly with LiveKit server, offloading job queuing and scheduling responsibilities to it. This eliminates the need for additional queuing infrastructure. Agent code developed on your local machine can scale to support thousands of concurrent sessions when deployed to a server in production.

github
: 4.4k
TrustLLM Screenshot
TrustLLM

TrustLLM is a comprehensive study of trustworthiness in LLMs, including principles for different dimensions of trustworthiness, established benchmark, evaluation, and analysis of trustworthiness for mainstream LLMs, and discussion of open challenges and future directions. Specifically, we first propose a set of principles for trustworthy LLMs that span eight different dimensions. Based on these principles, we further establish a benchmark across six dimensions including truthfulness, safety, fairness, robustness, privacy, and machine ethics. We then present a study evaluating 16 mainstream LLMs in TrustLLM, consisting of over 30 datasets. The document explains how to use the trustllm python package to help you assess the performance of your LLM in trustworthiness more quickly. For more details about TrustLLM, please refer to project website.

github
: 412

For similar tasks

FlipAttack Screenshot
FlipAttack

FlipAttack is a jailbreak attack tool designed to exploit black-box Language Model Models (LLMs) by manipulating text inputs. It leverages insights into LLMs' autoregressive nature to construct noise on the left side of the input text, deceiving the model and enabling harmful behaviors. The tool offers four flipping modes to guide LLMs in denoising and executing malicious prompts effectively. FlipAttack is characterized by its universality, stealthiness, and simplicity, allowing users to compromise black-box LLMs with just one query. Experimental results demonstrate its high success rates against various LLMs, including GPT-4o and guardrail models.

github
: 53

For similar jobs

ciso-assistant-community Screenshot
ciso-assistant-community

CISO Assistant is a tool that helps organizations manage their cybersecurity posture and compliance. It provides a centralized platform for managing security controls, threats, and risks. CISO Assistant also includes a library of pre-built frameworks and tools to help organizations quickly and easily implement best practices.

github
: 1.2k
PurpleLlama Screenshot
PurpleLlama

Purple Llama is an umbrella project that aims to provide tools and evaluations to support responsible development and usage of generative AI models. It encompasses components for cybersecurity and input/output safeguards, with plans to expand in the future. The project emphasizes a collaborative approach, borrowing the concept of purple teaming from cybersecurity, to address potential risks and challenges posed by generative AI. Components within Purple Llama are licensed permissively to foster community collaboration and standardize the development of trust and safety tools for generative AI.

github
: 2.6k
vpnfast.github.io Screenshot
vpnfast.github.io

VPNFast is a lightweight and fast VPN service provider that offers secure and private internet access. With VPNFast, users can protect their online privacy, bypass geo-restrictions, and secure their internet connection from hackers and snoopers. The service provides high-speed servers in multiple locations worldwide, ensuring a reliable and seamless VPN experience for users. VPNFast is easy to use, with a user-friendly interface and simple setup process. Whether you're browsing the web, streaming content, or accessing sensitive information, VPNFast helps you stay safe and anonymous online.

github
: 80
taranis-ai Screenshot
taranis-ai

Taranis AI is an advanced Open-Source Intelligence (OSINT) tool that leverages Artificial Intelligence to revolutionize information gathering and situational analysis. It navigates through diverse data sources like websites to collect unstructured news articles, utilizing Natural Language Processing and Artificial Intelligence to enhance content quality. Analysts then refine these AI-augmented articles into structured reports that serve as the foundation for deliverables such as PDF files, which are ultimately published.

github
: 240
NightshadeAntidote Screenshot
NightshadeAntidote

Nightshade Antidote is an image forensics tool used to analyze digital images for signs of manipulation or forgery. It implements several common techniques used in image forensics including metadata analysis, copy-move forgery detection, frequency domain analysis, and JPEG compression artifacts analysis. The tool takes an input image, performs analysis using the above techniques, and outputs a report summarizing the findings.

github
: 163
h4cker Screenshot
h4cker

This repository is a comprehensive collection of cybersecurity-related references, scripts, tools, code, and other resources. It is carefully curated and maintained by Omar Santos. The repository serves as a supplemental material provider to several books, video courses, and live training created by Omar Santos. It encompasses over 10,000 references that are instrumental for both offensive and defensive security professionals in honing their skills.

github
: 18.3k
AIMr Screenshot
AIMr

AIMr is an AI aimbot tool written in Python that leverages modern technologies to achieve an undetected system with a pleasing appearance. It works on any game that uses human-shaped models. To optimize its performance, users should build OpenCV with CUDA. For Valorant, additional perks in the Discord and an Arduino Leonardo R3 are required.

github
: 229
admyral Screenshot
admyral

Admyral is an open-source Cybersecurity Automation & Investigation Assistant that provides a unified console for investigations and incident handling, workflow automation creation, automatic alert investigation, and next step suggestions for analysts. It aims to tackle alert fatigue and automate security workflows effectively by offering features like workflow actions, AI actions, case management, alert handling, and more. Admyral combines security automation and case management to streamline incident response processes and improve overall security posture. The tool is open-source, transparent, and community-driven, allowing users to self-host, contribute, and collaborate on integrations and features.

github
: 293