benchmark 2025

A methodological analysis of prompt perturbations and their effect on attack success rates

Tiago Machado , Maysa Malfiza Garcia de Macedo , Rogerio Abreu de Paula , Marcelo Carpinette Grave , Aminat Adebiyi , Luan Soares de Souza , Enrico Santarelli , Claudio Pinhanez

IBM Research

0 citations · arXiv
α

Published on arXiv

2511.10686

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Statistically significant ASR variation under small prompt perturbations across all three alignment methods, indicating that standard single-configuration benchmarks are insufficient to characterize model robustness.

This work aims to investigate how different Large Language Models (LLMs) alignment methods affect the models' responses to prompt attacks. We selected open source models based on the most common alignment methods, namely, Supervised Fine-Tuning (SFT), Direct Preference Optimization (DPO), and Reinforcement Learning with Human Feedback (RLHF). We conducted a systematic analysis using statistical methods to verify how sensitive the Attack Success Rate (ASR) is when we apply variations to prompts designed to elicit inappropriate content from LLMs. Our results show that even small prompt modifications can significantly change the Attack Success Rate (ASR) according to the statistical tests we run, making the models more or less susceptible to types of attack. Critically, our results demonstrate that running existing 'attack benchmarks' alone may not be sufficient to elicit all possible vulnerabilities of both models and alignment methods. This paper thus contributes to ongoing efforts on model attack evaluation by means of systematic and statistically-based analyses of the different alignment methods and how sensitive their ASR is to prompt variation.

Key Contributions

  • Systematic statistical analysis (significance testing) of ASR sensitivity to prompt perturbations across SFT, DPO, and RLHF alignment methods
  • Demonstrates that even small prompt modifications can produce statistically significant changes in ASR, challenging the reliability of single-prompt attack benchmarks
  • Highlights that existing attack benchmark protocols (AdvBench, HarmBench) may underestimate the range of vulnerabilities in aligned LLMs

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
black_boxinference_time
Datasets
AdvBenchHarmBench
Applications
llm safety evaluationchatbot alignment
Read PDF arXiv DOI

Similar Papers

benchmark

Say It Differently: Linguistic Styles as Jailbreak Vectors

2025 1 cit.
100%
benchmark

Small Symbols, Big Risks: Exploring Emoticon Semantic Confusion in Large Language Models

2026 0 cit.
100%
benchmark

Replicating TEMPEST at Scale: Multi-Turn Adversarial Attacks Against Trillion-Parameter Frontier Models

2025 0 cit.
100%
benchmark

Are LLMs Vulnerable to Preference-Undermining Attacks (PUA)? A Factorial Analysis Methodology for Diagnosing the Trade-off between Preference Alignment and Real-World Validity

2026 0 cit.
100%
benchmark

The Facade of Truth: Uncovering and Mitigating LLM Susceptibility to Deceptive Evidence

2026 0 cit.
100%
benchmark

Hidden-in-Plain-Text: A Benchmark for Social-Web Indirect Prompt Injection in RAG

2026 3 cit.
100%
benchmark

Learning the Wrong Lessons: Syntactic-Domain Spurious Correlations in Language Models

2025 2 cit.
100%
benchmark

AI Security Beyond Core Domains: Resume Screening as a Case Study of Adversarial Vulnerabilities in Specialized LLM Applications

2025 1 cit.
100%