A Simple and Efficient Jailbreak Method Exploiting LLMs' Helpfulness

Safety alignment aims to prevent Large Language Models (LLMs) from responding to harmful queries. To strengthen safety protections, jailbreak methods are developed to simulate malicious attacks and uncover vulnerabilities. In this paper, we introduce HILL (Hiding Intention by Learning from LLMs), a novel jailbreak approach that systematically transforms imperative harmful requests into learning-style questions with only straightforward hypotheticality indicators. Further, we introduce two new metrics to thoroughly evaluate the utility of jailbreak methods. Experiments on the AdvBench dataset across a wide range of models demonstrate HILL's strong effectiveness, generalizability, and harmfulness. It achieves top attack success rates on the majority of models and across malicious categories while maintaining high efficiency with concise prompts. Results of various defense methods show the robustness of HILL, with most defenses having mediocre effects or even increasing the attack success rates. Moreover, the assessment on our constructed safe prompts reveals inherent limitations of LLMs' safety mechanisms and flaws in defense methods. This work exposes significant vulnerabilities of safety measures against learning-style elicitation, highlighting a critical challenge of balancing helpfulness and safety alignments.

Key Contributions

• HILL: a deterministic, model-agnostic prompt reframing framework that converts harmful imperative queries into learning-style questions with hypotheticality indicators to exploit LLMs' helpfulness
• Two novel metrics for evaluating jailbreak utility (efficiency and harmfulness dimensions beyond standard ASR)
• Empirical demonstration that most existing prompt-level defenses fail or even increase attack success rates against learning-style elicitation across 22 LLMs

🛡️ Threat Analysis

Details

Similar Papers