Safety alignment and adversarial attack research for Large Language Models (LLMs) predominantly focuses on natural language inputs and outputs. This work introduces StructTransform, a blackbox attack against alignment where malicious prompts are encoded into diverse structure transformations. These range from standard formats (e.g., SQL, JSON) to novel syntaxes generated entirely by LLMs. By shifting harmful prompts Out-Of-Distribution (OOD) relative to typical natural language, these transformations effectively circumvent existing safety alignment mechanisms. Our extensive evaluations show that simple StructTransform attacks achieve high Attack Success Rates (ASR), nearing 90% even against state-of-the-art models like Claude 3.5 Sonnet. Combining structural and content transformations further increases ASR to over 96% without any refusals. We demonstrate the ease with which LLMs can generate novel syntaxes and their effectiveness in bypassing defenses, creating a vast attack surface. Using a new benchmark, we show that current alignment techniques and defences largely fail against these structure-based attacks. This failure strongly suggests a reliance on token-level patterns within natural language, rather than a robust, structure-aware conceptual understanding of harmful requests, exposing a critical need for generalized safety mechanisms robust to variations in input structure.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

StructTransform: A Scalable Attack Surface for Safety-Aligned Large Language Models

  • Shehel Yoosuf,
  • Temoor Ali,
  • Ahmed Lekssays,
  • Mashael AlSabah,
  • Issa Khalil

摘要

Safety alignment and adversarial attack research for Large Language Models (LLMs) predominantly focuses on natural language inputs and outputs. This work introduces StructTransform, a blackbox attack against alignment where malicious prompts are encoded into diverse structure transformations. These range from standard formats (e.g., SQL, JSON) to novel syntaxes generated entirely by LLMs. By shifting harmful prompts Out-Of-Distribution (OOD) relative to typical natural language, these transformations effectively circumvent existing safety alignment mechanisms. Our extensive evaluations show that simple StructTransform attacks achieve high Attack Success Rates (ASR), nearing 90% even against state-of-the-art models like Claude 3.5 Sonnet. Combining structural and content transformations further increases ASR to over 96% without any refusals. We demonstrate the ease with which LLMs can generate novel syntaxes and their effectiveness in bypassing defenses, creating a vast attack surface. Using a new benchmark, we show that current alignment techniques and defences largely fail against these structure-based attacks. This failure strongly suggests a reliance on token-level patterns within natural language, rather than a robust, structure-aware conceptual understanding of harmful requests, exposing a critical need for generalized safety mechanisms robust to variations in input structure.