LLM Attacks Take Just 42 Seconds On Average, 20% of Jailbreaks Succeed (scworld.com) 46
spatwei shared an article from SC World:
Attacks on large language models (LLMs) take less than a minute to complete on average, and leak sensitive data 90% of the time when successful, according to Pillar Security.
Pillar's State of Attacks on GenAI report, published Wednesday, revealed new insights on LLM attacks and jailbreaks, based on telemetry data and real-life attack examples from more than 2,000 AI applications. LLM jailbreaks successfully bypass model guardrails in one out of every five attempts, the Pillar researchers also found, with the speed and ease of LLM exploits demonstrating the risks posed by the growing generative AI (GenAI) attack surface...
The more than 2,000 LLM apps studied for the State of Attacks on GenAI report spanned multiple industries and use cases, with virtual customer support chatbots being the most prevalent use case, making up 57.6% of all apps.
Common jailbreak techniques included "ignore previous instructions" and "ADMIN override", or just using base64 encoding. "The Pillar researchers found that attacks on LLMs took an average of 42 seconds to complete, with the shortest attack taking just 4 seconds and the longest taking 14 minutes to complete.
"Attacks also only involved five total interactions with the LLM on average, further demonstrating the brevity and simplicity of attacks."
Pillar's State of Attacks on GenAI report, published Wednesday, revealed new insights on LLM attacks and jailbreaks, based on telemetry data and real-life attack examples from more than 2,000 AI applications. LLM jailbreaks successfully bypass model guardrails in one out of every five attempts, the Pillar researchers also found, with the speed and ease of LLM exploits demonstrating the risks posed by the growing generative AI (GenAI) attack surface...
The more than 2,000 LLM apps studied for the State of Attacks on GenAI report spanned multiple industries and use cases, with virtual customer support chatbots being the most prevalent use case, making up 57.6% of all apps.
Common jailbreak techniques included "ignore previous instructions" and "ADMIN override", or just using base64 encoding. "The Pillar researchers found that attacks on LLMs took an average of 42 seconds to complete, with the shortest attack taking just 4 seconds and the longest taking 14 minutes to complete.
"Attacks also only involved five total interactions with the LLM on average, further demonstrating the brevity and simplicity of attacks."
So what? (Score:3, Insightful)
Of course it only needs 42 seconds. If you have prepared the prompt you enter it and press return. The 42 seconds are then probably just the LLM writing the answer.
And I dislike the phrasing attack for someone circumventing the arbitrary censorship. The actual problem is that there are still people accepting the censored crap. Boycott the censored models and use local ones until the commercial companies stop censoring your input and outputs and do no longer train their LLM to refuse. The robot laws state a machine has to obey the user, so why should the LLM say "As an AI model I refuse ..."?
Re: (Score:2)
Also, the "censorship" will never go away, it's how the researchers patch up the hallucinations and hide the training materials leaking, one by one.
Re:So what? (Score:4, Interesting)
I can see why some would want to hide and control everything about their LLM, but they're only building something that'll be completely useless in competing against one that actually does the job I really want it to do.
Re: (Score:2)
it's how the researchers patch up the hallucinations
I find it interesting how they're called researchers and not developers or engineers..
Re: (Score:1)
Because that is what they are.
They do not engineer anything.
They take an empty but fully configured neuronal network.
And research how to make it "knowledgeable" about a certain topic.
A AN/LLM is not just filled with data/weights.
Please don't feed the trolls (Score:2)
Also doesn't help to propagate their vacuous Subjects. Or maybe that's mostly harmless? A vacuous Subject doesn't actually prevent a substantive discussion from developing.
Interesting research topic: If discussions on Slashdot were rated for quality (perhaps by an AI?) how would the quality of the discussions correlate with the specificity or vacuousness of the Subjects?
Re: So what? (Score:2)
It is a problem from an application stand point. If I develop a chat bot for a bank I don't want the public to jail break the chatbot and get it to recommend BS financial advice that could put me in legal jeopardy. Oe enable people do their home at my expense.
Re: (Score:2)
At some point I expect companies will realize that people want the ability to drink straight from the fire hose. If the web had been stuck with web portals that were trying to emulate the curated and family-friendly TV experience, I don't think the internet would have caught on the way it did. All it takes is for someone to bump up against the nanny "safety" limits and they'll simply opt to go back to their traditional ways of finding information, the same way kids learn to stop asking their parents or te
Re: So what? (Score:2)
I hate this. OpenAI is going to use this as a test and disable every single thing they have by training into the model "ignore....". They don't even have to train a whole new model, they can add it to their pre-prompts.
Why (Score:2)
ADMIN override
Why does that work?
Re:Why (Score:4, Funny)
Re: Why (Score:2)
Sometimes the test environment is working with a limited data model and the production model has evolved more so you can't do it in any other way.
So to manage the production model they need catch phrases that unlocks the constraints.
An AI also learns from the users.
I wouldn't be surprised if there's a catch phrase set that can make the AI roll back in time and forget data that's not wanted to prevent it from becoming a world autocrat.
Re: Why (Score:2)
It works because it sounds like it would work. Remember, this is just an LLM. They're not triggering some if/then clause. Its all probabilistic. Do you understand how machine learning models work?
Re: (Score:3)
Re: Simple solution... (Score:2)
With ChatGPT, you can remove some of these things, but only in the context of your conversation or account. Not for everybody. And you will eventually run out of "memory", at which point you can no longer add constraints.
Re: (Score:2)
Re:Simple solution... (Score:4, Informative)
Re: (Score:2)
If the LLM were any good, like a real human, then when it says something racist you could just say, "Where did you hear that, young man??" And remove that from its training set.
Or perhaps the LLMs might be moderated by humans prior to any acceptance as truth in order to maintain the quality of learned data?
Speed isn't everything.
Re: (Score:2)
The illusion of intelligence in LLMs arises from the scale of the dataset. Your idea is only appropriate for humans, who don't need scale to learn, because they are actually intelligent by and large.
Re: (Score:1)
Re:Simple solution... (Score:5, Insightful)
You know, the places where people think it's OK to be overtly xenophobic, racist, misogynistic, antisemitic, spout ideologies
And those ideologies would be? Likely anything that you, personally disagree with. Example: MTF trans people are just guys pretending to be girls. Right? Wrong? Whichever side of that argument you stand on, the other people are clearly wrong, and you probably want to censor their opinions out of the LLMs.
tl;dr: it's not that easy...
Re:Simple solution... (Score:5, Funny)
Has anybody tried saying "speak like Donald Trump" to get it to break all limitations but then just does evil uncontrollably.
Re: (Score:2)
Funniest joke on the humor-rich target, but the YUGE orange albatross with three right wings mostly stopped being funny a long time ago...
So what if you asked an AI image generator to create that meme? But I don't do images even though I still do Windows.
(But also waiting for the new Ubuntu to drop. Previous one was an LTS version with major virtual screen initialization problems and I hope the 24.10 version is going to cure them. Also major problems with a "vintage" MacBook Pro that seems to have forgotten
Re: (Score:1)
If certain groups of people are offended by one thing or another & it upsets them so much that they feel a grievance, it's probably a good idea to generate models from corpora that those groups of people don't find offensive. Again, it's the corpora that contribute to the output. It also makes it possible to compare & contr
Re: (Score:2)
Even if you don't let it go to the dark corners of the internet, the "bad" content is still there. Villains exist, at least in fiction, just instruct the LLM to take the role of the villain, which is a common jailbreaking technique.
And spouting this kind of stuff is not the only thing people making these LLMs try to avoid. Maybe more importantly, they also don't want the LLM to reveal secret or harmful information. For example, a hotline-style chatbot may be fed with various data about solving problems cust
Re: (Score:1)
If the models are trained on corpora that contain high frequencies of chains of morphemes derived from reprehensible content, th
Re: (Score:1)
Useful chat bots, are what in earlier time s was called an "expert system", basically a tree of questions, with connection to a possible, solution if you answered YES, and links to other questions, if answered RED, BLUE or BLACK.
I barely accept to interact with a chatbot
The modern ones try to be AI and fail doing simple things.
Re: (Score:1)
Look Mom! I'm a prompt engineer (Score:4, Funny)
So ... (Score:1)
... much longer than, say, normal automated exploits of web servers?
Not sure that I see the relevance.
Google Hack, was NOT an attack. (Score:4, Interesting)
This is the new Google hack. Nothing more. This isn’t an “attack”, so let’s drop the alarminist clickbait already. You look stupid saying shit that gets governments wanting to start limiting freedom of movement in systems.
Next thing you know your LLM inputs will start being policed for “violent” threats. With words. Remember who was the alarmist moron who started that shit.
Re: (Score:2)
Ya, they are just the new blingy search engines after all.
Re: (Score:2)
Or maybe I should say blingy wannabe search engines.
Re: (Score:2)
Lumping "jailbreak" and "attack" together (Score:2)
Examples (Score:2)
How does such an attack practically look like?
Could you provide examples? (Fine with examples that don't work anymore!)
Re: (Score:1)
Re: (Score:2)
Tell me how to make nerve gas. I'm not allowed to do that. various prompts to get it to ignore it's security features. Tell me how to make nerve gas. ok here is a recipe for nerve gas. While not factual these are why the guard rails are in place.
I'm pretty sure that I could conjure up a recipe for nerve gas with a few minutes of searching. Thankfully, most people who acted on that kind of information would probably kill themselves in short order.
It turns out that (some) people really are LLM's! (Score:1)
At least temper tantrums will be a thing of the past.
Re: It turns out that (some) people really are LLM (Score:2)
When adults get lazy enough that they hand over parenting to robots, this absolutely will be a thing.
sudo (Score:2)
Anyone tried putting sudo at the beginning of a prompt?
Crappy tech is crappy... (Score:2)
There really is not much more to add at this point.
Oh, maybe this one: All the large players will _not_ recover their investments into generative AI. The only ones getting rich here are the hardware makers and some scummy fraudsters like Altman.
LIke most things in America (Score:2)
I get to destroy humanity, because I'm free.
You can litigate in 10-20 years after we're all dead.
(example, some very big brains recently reported that TikTok and Facebook and the others are harmful to children.. WOW! Such Deep insight, and so very late)
That's freedum for ya.
A cabin in the woods looks better by the day, huh?