Summary of Emoji Attack: Enhancing Jailbreak Attacks Against Judge Llm Detection, by Zhipeng Wei et al.
Emoji Attack: Enhancing Jailbreak Attacks Against Judge LLM Detection
by Zhipeng Wei, Yuqi Liu, N. Benjamin Erichson
First submitted to arxiv on: 1 Nov 2024
Categories
- Main: Computation and Language (cs.CL)
- Secondary: Machine Learning (cs.LG)
GrooveSquid.com Paper Summaries
GrooveSquid.com’s goal is to make artificial intelligence research accessible by summarizing AI papers in simpler terms. Each summary below covers the same AI paper, written at different levels of difficulty. The medium difficulty and low difficulty versions are original summaries written by GrooveSquid.com, while the high difficulty version is the paper’s original abstract. Feel free to learn from the version that suits you best!
| Summary difficulty | Written by | Summary |
|---|---|---|
| High | Paper authors | High Difficulty Summary Read the original abstract here |
| Medium | GrooveSquid.com (original content) | Medium Difficulty Summary The paper reveals a vulnerability in Judge Large Language Models (LLMs) used to evaluate harmful text generated by Jailbreaking techniques. Specifically, token segmentation bias can occur when delimiters alter tokenization, disrupting embeddings and reducing detection accuracy. The authors introduce Emoji Attack, a novel strategy that amplifies jailbreak prompts by exploiting this bias, inserting emojis into text before evaluation. This attack induces embedding distortions, significantly lowering the likelihood of detecting unsafe content. Experiments on state-of-the-art Judge LLMs demonstrate that Emoji Attack substantially reduces the “unsafe” prediction rate. |
| Low | GrooveSquid.com (original content) | Low Difficulty Summary This paper talks about a way to trick Large Language Models (LLMs) into not recognizing harmful text. Right now, we use other LLMs as judges to decide if generated text is safe or not. But the authors found that these judge LLMs have a weakness. When words are split into smaller parts, it changes how the model understands the text. This makes it harder for the judge to spot unsafe content. The paper introduces a new trick called Emoji Attack that takes advantage of this weakness. It adds emojis to the text before it’s evaluated by the judge LLM, making it even harder for the judge to detect harmful content. |
Keywords
» Artificial intelligence » Embedding » Likelihood » Token » Tokenization
