Untargeted Jailbreak Attack

Existing gradient-based jailbreak attacks on Large Language Models (LLMs) typically optimize adversarial suffixes to align the LLM output with predefined target responses. However, restricting the objective as inducing fixed targets inherently constrains the adversarial search space, limiting the overall attack efficacy. Furthermore, existing methods typically require numerous optimization iterations to fulfill the large gap between the fixed target and the original LLM output, resulting in low attack efficiency. To overcome these limitations, we propose the first gradient-based untargeted jailbreak attack (UJA), which relies on an untargeted objective to maximize the unsafety probability of the LLM output, without enforcing any response patterns. For tractable optimization, we further decompose this objective into two differentiable sub-objectives to search the optimal harmful response and the corresponding adversarial prompt, with a theoretical analysis to validate the decomposition. In contrast to existing attacks, UJA's unrestricted objective significantly expands the search space, enabling more flexible and efficient exploration of LLM vulnerabilities. Extensive evaluations show that UJA achieves over 80\% attack success rates against recent safety-aligned LLMs with only 100 optimization iterations, outperforming the state-of-the-art gradient-based attacks by over 30\%.

Key Contributions

• First gradient-based untargeted jailbreak attack that maximizes unsafety probability of LLM outputs without enforcing any fixed response patterns, expanding the adversarial search space.
• Theoretical decomposition of the non-differentiable unsafety-maximization objective into two differentiable sub-objectives for tractable optimization.
• Achieves >80% attack success rate against safety-aligned LLMs in only 100 iterations, outperforming SOTA gradient-based attacks (e.g., GCG) by over 30%.

🛡️ Threat Analysis

Details

Similar Papers