Target-Driven Attack for Large Language Models

Chong Zhang; Mingyu Jin; Dong Shu; Taowen Wang; Dongfang Liu; Xiaobo Jin

doi:10.3233/FAIA240685

Target-Driven Attack for Large Language Models

Chong Zhang, Mingyu Jin, Dong Shu, Taowen Wang, Dongfang Liu, Xiaobo Jin^*

^*Corresponding author for this work

Department of Intelligent Science

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

Abstract

Current large language models (LLM) provide a strong foundation for large-scale user-oriented natural language tasks.Many users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges like the language model not giving the correct answer.Although there is currently a large amount of research on black-box attacks, most of these black-box attacks use random and heuristic strategies.It is unclear how these strategies relate to the success rate of attacks and thus effectively improve model robustness.To solve this problem, we propose our target-driven black-box attack method to maximize the KL divergence between the conditional probabilities of the clean text and the attack text to redefine the attack's goal.We transform the distance maximization problem into two convex optimization problems based on the attack goal to solve the attack text and estimate the covariance.Furthermore, the projected gradient descent algorithm solves the vector corresponding to the attack text.Our target-driven black-box attack approach includes two attack strategies: token manipulation and misinformation attack.Experimental results on multiple Large Language Models and datasets demonstrate the effectiveness of our attack method.

Original language	English
Title of host publication	ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings
Editors	Ulle Endriss, Francisco S. Melo, Kerstin Bach, Alberto Bugarin-Diz, Jose M. Alonso-Moral, Senen Barro, Fredrik Heintz
Publisher	IOS Press BV
Pages	1752-1759
Number of pages	8
ISBN (Electronic)	9781643685489
DOIs	https://doi.org/10.3233/FAIA240685
Publication status	Published - 16 Oct 2024
Event	27th European Conference on Artificial Intelligence, ECAI 2024 - Santiago de Compostela, Spain Duration: 19 Oct 2024 → 24 Oct 2024

Publication series

Name	Frontiers in Artificial Intelligence and Applications
Volume	392
ISSN (Print)	0922-6389
ISSN (Electronic)	1879-8314

Conference

Conference	27th European Conference on Artificial Intelligence, ECAI 2024
Country/Territory	Spain
City	Santiago de Compostela
Period	19/10/24 → 24/10/24

Access to Document

10.3233/FAIA240685

Cite this

Zhang, C., Jin, M., Shu, D., Wang, T., Liu, D., & Jin, X. (2024). Target-Driven Attack for Large Language Models. In U. Endriss, F. S. Melo, K. Bach, A. Bugarin-Diz, J. M. Alonso-Moral, S. Barro, & F. Heintz (Eds.), ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings (pp. 1752-1759). (Frontiers in Artificial Intelligence and Applications; Vol. 392). IOS Press BV. https://doi.org/10.3233/FAIA240685

Zhang, Chong ; Jin, Mingyu ; Shu, Dong et al. / Target-Driven Attack for Large Language Models. ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings. editor / Ulle Endriss ; Francisco S. Melo ; Kerstin Bach ; Alberto Bugarin-Diz ; Jose M. Alonso-Moral ; Senen Barro ; Fredrik Heintz. IOS Press BV, 2024. pp. 1752-1759 (Frontiers in Artificial Intelligence and Applications).

@inproceedings{342d9336a72e4daea6c1b56e9d8ccfcb,

title = "Target-Driven Attack for Large Language Models",

abstract = "Current large language models (LLM) provide a strong foundation for large-scale user-oriented natural language tasks.Many users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges like the language model not giving the correct answer.Although there is currently a large amount of research on black-box attacks, most of these black-box attacks use random and heuristic strategies.It is unclear how these strategies relate to the success rate of attacks and thus effectively improve model robustness.To solve this problem, we propose our target-driven black-box attack method to maximize the KL divergence between the conditional probabilities of the clean text and the attack text to redefine the attack's goal.We transform the distance maximization problem into two convex optimization problems based on the attack goal to solve the attack text and estimate the covariance.Furthermore, the projected gradient descent algorithm solves the vector corresponding to the attack text.Our target-driven black-box attack approach includes two attack strategies: token manipulation and misinformation attack.Experimental results on multiple Large Language Models and datasets demonstrate the effectiveness of our attack method.",

author = "Chong Zhang and Mingyu Jin and Dong Shu and Taowen Wang and Dongfang Liu and Xiaobo Jin",

note = "Publisher Copyright: {\textcopyright} 2024 The Authors.; 27th European Conference on Artificial Intelligence, ECAI 2024 ; Conference date: 19-10-2024 Through 24-10-2024",

year = "2024",

month = oct,

day = "16",

doi = "10.3233/FAIA240685",

language = "English",

series = "Frontiers in Artificial Intelligence and Applications",

publisher = "IOS Press BV",

pages = "1752--1759",

editor = "Ulle Endriss and Melo, {Francisco S.} and Kerstin Bach and Alberto Bugarin-Diz and Alonso-Moral, {Jose M.} and Senen Barro and Fredrik Heintz",

booktitle = "ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings",

}

Zhang, C, Jin, M, Shu, D, Wang, T, Liu, D & Jin, X 2024, Target-Driven Attack for Large Language Models. in U Endriss, FS Melo, K Bach, A Bugarin-Diz, JM Alonso-Moral, S Barro & F Heintz (eds), ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings. Frontiers in Artificial Intelligence and Applications, vol. 392, IOS Press BV, pp. 1752-1759, 27th European Conference on Artificial Intelligence, ECAI 2024, Santiago de Compostela, Spain, 19/10/24. https://doi.org/10.3233/FAIA240685

Target-Driven Attack for Large Language Models. / Zhang, Chong; Jin, Mingyu; Shu, Dong et al.
ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings. ed. / Ulle Endriss; Francisco S. Melo; Kerstin Bach; Alberto Bugarin-Diz; Jose M. Alonso-Moral; Senen Barro; Fredrik Heintz. IOS Press BV, 2024. p. 1752-1759 (Frontiers in Artificial Intelligence and Applications; Vol. 392).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - Target-Driven Attack for Large Language Models

AU - Zhang, Chong

AU - Jin, Mingyu

AU - Shu, Dong

AU - Wang, Taowen

AU - Liu, Dongfang

AU - Jin, Xiaobo

PY - 2024/10/16

Y1 - 2024/10/16

N2 - Current large language models (LLM) provide a strong foundation for large-scale user-oriented natural language tasks.Many users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges like the language model not giving the correct answer.Although there is currently a large amount of research on black-box attacks, most of these black-box attacks use random and heuristic strategies.It is unclear how these strategies relate to the success rate of attacks and thus effectively improve model robustness.To solve this problem, we propose our target-driven black-box attack method to maximize the KL divergence between the conditional probabilities of the clean text and the attack text to redefine the attack's goal.We transform the distance maximization problem into two convex optimization problems based on the attack goal to solve the attack text and estimate the covariance.Furthermore, the projected gradient descent algorithm solves the vector corresponding to the attack text.Our target-driven black-box attack approach includes two attack strategies: token manipulation and misinformation attack.Experimental results on multiple Large Language Models and datasets demonstrate the effectiveness of our attack method.

AB - Current large language models (LLM) provide a strong foundation for large-scale user-oriented natural language tasks.Many users can easily inject adversarial text or instructions through the user interface, thus causing LLM model security challenges like the language model not giving the correct answer.Although there is currently a large amount of research on black-box attacks, most of these black-box attacks use random and heuristic strategies.It is unclear how these strategies relate to the success rate of attacks and thus effectively improve model robustness.To solve this problem, we propose our target-driven black-box attack method to maximize the KL divergence between the conditional probabilities of the clean text and the attack text to redefine the attack's goal.We transform the distance maximization problem into two convex optimization problems based on the attack goal to solve the attack text and estimate the covariance.Furthermore, the projected gradient descent algorithm solves the vector corresponding to the attack text.Our target-driven black-box attack approach includes two attack strategies: token manipulation and misinformation attack.Experimental results on multiple Large Language Models and datasets demonstrate the effectiveness of our attack method.

UR - http://www.scopus.com/inward/record.url?scp=85213347041&partnerID=8YFLogxK

U2 - 10.3233/FAIA240685

DO - 10.3233/FAIA240685

M3 - Conference Proceeding

AN - SCOPUS:85213347041

T3 - Frontiers in Artificial Intelligence and Applications

SP - 1752

EP - 1759

BT - ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings

A2 - Endriss, Ulle

A2 - Melo, Francisco S.

A2 - Bach, Kerstin

A2 - Bugarin-Diz, Alberto

A2 - Alonso-Moral, Jose M.

A2 - Barro, Senen

A2 - Heintz, Fredrik

PB - IOS Press BV

T2 - 27th European Conference on Artificial Intelligence, ECAI 2024

Y2 - 19 October 2024 through 24 October 2024

ER -

Zhang C, Jin M, Shu D, Wang T, Liu D, Jin X. Target-Driven Attack for Large Language Models. In Endriss U, Melo FS, Bach K, Bugarin-Diz A, Alonso-Moral JM, Barro S, Heintz F, editors, ECAI 2024 - 27th European Conference on Artificial Intelligence, Including 13th Conference on Prestigious Applications of Intelligent Systems, PAIS 2024, Proceedings. IOS Press BV. 2024. p. 1752-1759. (Frontiers in Artificial Intelligence and Applications). doi: 10.3233/FAIA240685

Target-Driven Attack for Large Language Models

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this