Beyond Suffixes: Token Position in GCG Adversarial Attacks on Large Language Models

Large Language Models (LLMs) have seen widespread adoption across multiple domains, creating an urgent need for robust safety alignment mechanisms. However, robustness remains challenging due to jailbreak attacks that bypass alignment via adversarial prompts. In this work, we focus on the prevalent Greedy Coordinate Gradient (GCG) attack and identify a previously underexplored attack axis in jailbreak attacks typically framed as suffix-based: the placement of adversarial tokens within the prompt. Using GCG as a case study, we show that both optimizing attacks to generate prefixes instead of suffixes and varying adversarial token position during evaluation substantially influence attack success rates. Our findings highlight a critical blind spot in current safety evaluations and underline the need to account for the position of adversarial tokens in the adversarial robustness evaluation of LLMs.

Key Contributions

• Identifies adversarial token position (prefix vs. suffix) as a previously underexplored attack axis in GCG-style jailbreak attacks
• Introduces GCG-prefix, a variant of GCG that prepends and optimizes adversarial tokens rather than appending them, achieving non-trivial ASR variation in both white-box and black-box cross-model settings
• Shows that safety evaluations that fix adversarial tokens to a single position overestimate LLM robustness, highlighting a critical blind spot

🛡️ Threat Analysis

Details

Similar Papers