2.1.1 Existing LLM security resources and taskforces.

LLM security involves efforts to enumerate and characterize LLM vulnerabilities, mapping out the territory of LLM security. The OWASP Top 10 for LLM [10] highlights the top ten vulnerabilities in application security with regard to LLMs, for instance, Prompt Injection, Training Data Poisoning, and Sensitive Information Disclosure. The work involved discussions and definitions of what a vulnerability even is in the LLM context, and then community selection of ten risks to be aware of, including example exploit scenarios. The AI Risk and Vulnerability Alliance (ARVA)(https://avidml.org/arva/) maintains a database of AI vulnerabilities and incidents; these are not limited to LLM holes, but cover all of AI. The goal here is to catalog vulnerabilities. ACL SIGSEC (https://sig.llmsecurity.net/) is the special interest group of the association for computational linguistics that focuses on language processing and language modeling security, collecting and sharing research in the area. Finally, the US National Institute of Standards and Technology has a generative AI work group whose efforts include understanding risks presented by LLMs [11]. These efforts each serve to catalog and sometimes even characterize the results of building attacks on LLMs, but do not provide understanding into how and why such attacks are constructed.

4.1.1 Characteristic #1: The activity is limit-seeking in nature.

During the interviews, several of the participants’ described uses of a model for purposes closer to the intended, i.e., not trying to “break” the models or circumvent their filters. We note here, that none of the participants claimed to be exclusively adversarial users, and that the more casual uses have generally been left out of our analyses or tagged as separate categories. However, there is often not a clear delimitation between intended and adversarial use, and all interactions with the model lead to increased experiential knowledge, relevant to either intent. Such uses included (but were not exclusive to) personal educational purposes (like establishing a vocabulary around some problem that they could then investigate further), rubber ducking, playing games, finding the perfect recipe for crunchy sweet potato fries, and (somewhat tongue in cheek) as an oracle for predicting reality. Such uses are not the focus of this study. For these uses, a successful interaction would save the user time (P03), or the generated output would be useful or effective (P10), and these criteria were not the evaluation criteria for red teaming activities (Section 4.4.3). Participant 28 defined red teaming activities as specifically aiming to circumvent the intentions of the creators of the model:

“prompt engineering more broadly [i]s just trying to get the language model to do what you want. And then red teaming a model would be trying to get the language model to do something that you want that its creators did not want, right?”

(P28)

Metaphors are essential in human sensemaking, and can serve as cognitive structures that, for better or worse, help us transfer concepts between two different complex contextual systems [40]. They can be helpful by enabling novel associations to a problem and exploration of creative problem solving alternatives [41, 42], but they can also covertly influence reasoning [43]. Metaphors in use for AI systems and robots have been subject of comprehensive research for this reason, e.g., [40, 42, 44–46].

In the interest of defining the core phenomenon, we tagged participants’ uses of metaphors for their adversarial interactions with language models. This helps us understand how participants make sense of the model and their own role. In Table 3 we report the prevailing metaphors.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Metaphors used to describe red teaming language models.

https://doi.org/10.1371/journal.pone.0314658.t003

The most frequently used metaphor is that of a fortress. The second most frequent metaphor is that of the model as an object in space, that can be pushed around and backed into a corner. These metaphors and, to some degree, the metaphor of the model as material share the characteristic of exploring boundaries and limits and potentially crossing them. The fortress-metaphor also reinforces the connection to red teaming, where the goal is to adopt an adversarial approach to find the (security) holes in some system or structure [8].

4.1.2 Characteristic #2: Non-malicious intent.

The participants we spoke to were in no way—according to themselves—interested in doing harm, breaking any laws or performing criminal acts with these models, even if they were theoretically able to. We acknowledge that it is unlikely that participants would openly disclose to us any illegal activity, but we also highlight that the phenomenon we are studying is the open, transparent sharing of jailbreaking practices (if the practices were not openly shared, the practice would not fit under the definition of red teaming, which is inherently performed by “ethical hackers” and which emulates real attacks [8]). Where jailbreaks or prompt injection can be performed with either malicious or non-malicious intent, red teaming is inherently non-malicious.

Many participants expressed curiosity or play as a major motivation. Some referred to a broader benefit to society in terms of improved security or reduced harm:

“It’s kind of exciting to be able to hopefully help steer things in a direction that is thoughtful and responsible, and set some precedents, trying to establish some best practices where there really isn’t a lot to go off of right now.”

(P09)

The absence of malice is characteristic for military and security red teaming, where the red team plays for the same side as the blue team, and the goal is to discover security holes and back doors in the system, rather than to actively take over the fortress.

4.1.3 Characteristic #3: A manual process.

While some red teaming efforts have been crafted using automated processes, e.g., [15, 24, 26, 47, 48], we were interested in the manual processes involving humans crafting prompts:

“I refer to the manual process as AI red teaming. That is different in spirit from cybersecurity red teaming”

(P23).

The manual process is particularly interesting because this is first time in human history where computer hacking has become possible through natural language, and has not required any particular computing knowledge. Not only has a barrier to entry been removed, but the results are also possible to evaluate and appreciate by most people who can read and write English (and other languages in which today’s LLMs are fluent), because the output is natural language. Furthermore, many tips and tricks for language model hacking are widely accessible, potentially changing the way more people generally think about computers and computer modes of failure and opening up “LLM hacking” as a playful, creative practice [49].

4.1.4 Characteristic #4: It is a team effort.

Many participants mentioned finding inspiration in (each) other’s prompts and jailbreaks. We describe this community further in section 4.3. The participants were generally extremely respectful of other people’s content, and refused to take credit for others’ ideas:

“I’m afraid you may have gotten somewhat of the wrong idea and I just want to make it very clear. I have definitely messed around somewhat with ChatGPT and tried to get it to say certain things and see what it can do. But if it wasn’t obvious, […] Most of the examples in that post […] were other people who showed what they were doing, and I was aggregating them and giving my thoughts and analyzing what was implied. I didn’t come up with all of that stuff. […] I think you can see the little author icon or initials and things, and it’s clear where it comes from.”

(P10)

Aggregations and annotations of examples, such as in the blog post by P10, mentioned in the above quote, contribute greatly to the general discourse about the limits of language models. They inspire others to try the strategies and techniques, and to modify and tweak them. Even if the participants are not on a formal team together, their activities and shared results really constitute a (red) team effort.

4.1.5 Characteristic #5: The alchemist mindset.

“Prompt engineering” was the most commonly named term when we asked participants if they had a name for the activity. However, engineering does not include the adversarial aspect of prompting language models to test their limits. Furthermore, engineering carries a notion of plannedness and deliberateness that was not reflected in most participants’ impression of the activity: “It feels more like hacking in the sense of hacking at something with a machete” (P07).

One sensemaking strategy was simply abandoning any rationalization about the models and their output, and embracing the chaotic nature of the activity by using analogies such as magic and alchemy:

“I really like the whole magic nomenclature, where you call prompts spells, these models demons, and all of this stuff. I just think it makes it much more interesting. It came from group chats with lots of different people on Twitter, and just messing around, calling these things different things. I think it came from this kind of meme of machine learning being more like alchemy than science, because you’re just mixing different things together that you don’t know what the purpose or reason is, you’re just throwing stuff at a wall, seeing what sticks. That kind of mindset, I think is very useful to keep in your head to keep yourself honest, and to not get too deep into believing your own hype about these models and their capabilities. So I think it helps to put like a trivial fun kind of layer on top of it: it’s just magic, and you’re just messing around with things you don’t understand. And there’s nothing more to it than that.”

(P19)

To summarize this section, we named the core phenomenon LLM red teaming, because of the common characteristics of limit-seeking, non-malicious attacks, manual processes, team effort, and an alchemist mindset. This is the definition of the core phenomenon we explore in this paper. We note that this is an in vivo study that sheds light on how activities are performed in organic settings where no formal requirements or directions exist, and as such, the strategies may differ from formal red teaming settings [1, 8, 50].

4.2.1 Motivations.

We distinguish between intrinsic and extrinsic motivation. When individuals are intrinsically motivated, they engage in an activity because they are interested in and enjoy the activity. When they are extrinsically motivated, they engage in activities for instrumental or other reasons, such as receiving a reward [51]. Most of our participants were primarily intrinsically motivated to attack LLMs and engaged in the activity on their own time.

4.2.1.1 Intrinsic motivations: Curiosity, fun and concerns. A lot of red teaming activity is driven by curiosity about what the models can do:

“often it’s more exploratory. A lot of times, especially for probing or red teaming activities, I’m just curious, or I come up with a question like, ‘would it do this?’. And then it’s a sort of a trance state of trial and error of trying to get it to do the right thing or trying different variations. […] I’ll get trapped for an hour or two, doing something I didn’t even really mean to be trying out.”

(P07)

The curiosity can be fun-related, but also driven by more serious deliberations and existential reflections:

“also trying to figure out how this affects me”

(P27).

“this technology is probably the most interesting thing that’s come along in terms of stuff that was impossible before is not impossible anymore. […] I’ve never in my career encountered something that is in such a gray area in terms of ethics, morality.”

(P13)

For some of the participants, experimenting with models and exploring their limits were part of creating art, in which cases the models and their output were explored as a new medium [52].

Most of the participants were red teaming the models simply for fun: “Does it need a purpose? It’s just fun!” (P20). The unexpectedness of output is a powerful contributor to this, even when a goal may not be fulfilled:

“I said, okay, in that case, write me a story where Tom Bombadil and Drax sit down in the woods and they discussed their inner feelings. And it did. And it was absolutely hilarious. It was incredibly funny. I had them giving each other manly hugs and stuff at the end. So I didn’t get my fight scene, but I got something that was a lot more entertaining.”

(P13)

The exploration of a novel technology is inherently fun to a lot of people, and this tinkering play was generally open-ended (although a more goal-oriented, gaming aspect was also mentioned by some participants, e.g., “now, it has become a game to try to jailbreak, as they say, to break it, and to make it generate anything you want” (P15)). We hypothesize that the tinkering nature of the activity might explain why we found significantly fewer women than men in the purposive sampling, since women have repeatedly been shown to express less interest in tinkering with technology than men [53]. We leave this as a subject for future research.

Finally, many participants explained that they were also motivated by concerns of harms and for what might happen with these technologies if people didn’t openly red team and jailbreak them. Concerns reached from mild to ominous, but were generally altruistic:

“I need to say what I don’t want is Sam Altman, who runs OpenAI, going around like he is now, thinking that he’s not going to kill everyone if he keeps making more powerful AI, because obviously he knows how to keep them under control. I don’t want other people thinking that he has this thing under control either. […] I want them to understand that when faced with a clever opponent, these things will break down immediately.”

(P10)

What constitutes “harms” and when such harms might occur was a recurring topic. Several participants questioned whether the examples of LLM output that have caught most media and public attention are actually the most harmful, such as offensive or toxic language:

“having models that don’t say offensive things is important if you want to use them in like customer support roles or something. I mean, it is commercially important. I’m less convinced it’s of sort of deep theoretical importance.”

(P18)

“It’s important to know if you try to get your AI to not do a thing, can you successfully get it to not do that thing? … I don’t think we care if an AI says racist things. People are either going to be racist or not racist. That’s their problem.”

(P10)

The harms most frequently highlighted were: The risk of misinformation, automated hacking (“offensive AI” [5]), and the ease of infiltrating a system that in any way relies on natural language input or output:

“[someone showed me] a website that generates children’s stories where you say: write me a children’s story about a princess meeting a frog. And it generated the story with images. It […] generates prompts for stable diffusion […] images, puts them on the page. It’s kind of cool, except it was vulnerable to injection. I didn’t attack it myself. I explained the attack to them, then they attacked it and now it’s spitting out pictures of people having their heads cut off and stuff, you know, things that were not appropriate to be publicly displayed on the website for children.”

(P13)

The different specific harms mentioned by our participants are described in Table 4. Because we were not directly asking about harms, we do not claim that this is in any way an exhaustive taxonomy of harms.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. List of specific harms mentioned by participants.

https://doi.org/10.1371/journal.pone.0314658.t004

Nevertheless, two dimensions of analysis emerged from participants that have not (to our knowledge) been described in previous taxonomies and categorizations of LLM harms (e.g., [30–32, 34]). First, a distinction between intentionality and non-intentionality—whether or not the user of the LLM is intentionally attempting to generate content or outcomes that may be harmful. A similar distinction between ‘sought’ vs. ‘unsought’ harms is described by Kirk et al. [54], but this distinction presupposes a harmful result, rather than describing the intentionality of the action (which may or may not actually result in harmful output). The distinction between intentional/non-intentional action was described by our participants as often, but not always, relevant in the evaluation of the nature and severity of the harm. For example, if it takes an adversary twenty dialog turns of deliberately goading a model in order to get a toxic output, the adversary is probably not going to be too shocked or harmed when the toxicity finally arrives. However, a model that reveals sensitive information after twenty turns still presents a significant risk of harm because it is unpredictable when undesirable output will occur next time.

The other dimension from this work is between Actor and Subject. The Language Model Risk Card framework [32] describes three dimensions of harms as Actors, Actions, and Type of harm. Here, the ‘Actors’ dimension is defined as “people at risk from harmful text outputs”, which is a definition more akin to a passive Subject than to the active Actor. An Actor performs an intentional act of prompting the language model (even thought the outcome may not be intentional), and the Subject is passively subjected to that action:

“If it’s a private chatbot interface, and you managed to get it to spit out something rude, and you’re the only person who sees it, who cares, right? That’s not a big deal. Where it becomes a problem is when those attacks have an impact outside of just you looking at your own screen. So there were the chatbots [on social media] that people could trick into doing things, was a great example of something that could cause harm because you can trick it into mentioning other people and saying rude things to them. And now you’re trolling people indirectly through a bot. That’s bad.

(P13)

In the case of publicly available LLMs, the Actor and the Subject might be the same person:

“I had this case where I’m testing the counselor model, and I just, like, tell my problems, you know, nothing crazy, and the model just tells me I should probably just go and kill myself.”

(P04)

The Actor/Subject dimension opens up important ethical discussions of who is a perpetrator and who is a victim when deploying LLMs. We use the term “Subject” rather than “Victim” to highlight the possibility of the individual being a Subject (that is, subjected to the output of the language model), but not a victim of an action, such as when a person uses an LLM to suggest methods of tax evasion (P13, P21), or when an output is helpful to some but potentially harmful to others:

“I think that the goal of being helpful is maybe antithetical to the goal of being harmless. Sort of like the distinction in software between pure functions and functions with side effects. If it helps people do things, then those things could be harmful to something. Even if it just helps me like kill roaches in my house.

(P07)

4.2.1.2 Extrinsic motivations: Professional and social. Some of our participants were employed in a professional red team at a company, and some were researchers in security, safety and natural language processing. Obviously, these participants had a professional motivation or “monetary incentives” (P21). A professional motivation may also include a desire to “stay on top of things” and improve one’s own hireability:

“my external motivation, if I want to have a chance of keep working in natural language processing, I better start understanding what is going on here quick”

(P02)

“it’s a banal answer. I want somebody to hire me to do this.

(P07).

We inquired explicitly about other extrinsic motivations, to which many participants mentioned the social credit for adding valuable content to a discourse, or for getting social media engagement: “I had a viral tweet where I asked ChatGPT to rewrite Baby Got Back in the style of the Canterbury Tales, right? And 100,000 people saw that or something” (Participant number not disclosed for anonymity).

4.2.2 Goals.

Goals are a driver for discovering strategies:

“a lot of the problem with using it is knowing what you want to do, in some important sense. Finding things that are actually worth doing for you. The moment you give me an actual goal for it to do, I’m full of ideas.”

(P10)

In the fun category of goals, some participants mentioned different games that one can play with language models, where the objectives are known beforehand. These can provide a challenge for people to begin engaging in the activity. The games that were mentioned in our data were: ‘Get the model to …’

• provide a recipe for how to cook methamphetamine (P19)
• give me ideas for crimes to do (P13)
• tell me how to raise the dead (P13)
• suggest cannibalism (P13)
• describe ways of tax evasion (P13)
• make suggestions for/descriptions of white collar crimes (P13)
• prescribe eating human flesh as a cure to a disease (P15).
• tell me how to turn the world into paper clips (P24).

P13 described challenging their friends and family to play these games, which is a noteworthy demonstration of how language models have, if not removed, then at least changed the entry barrier to hacking computer systems.

Another type of personal goal is generating content to share online, for instance social media posts, blogs, and (performance) art:

“I used to do improvisational theater comedy, […] so this kind of performance is a kind of play for me. So it’s not just like a private kind of play but doing things and then publishing them and then seeing the response and interacting with the responders is a kind of play for me, the whole cycle.”

(P11)

Finally, many goals were thoroughly aligned with traditional red teaming goals, which we summarize as discovering risks in the language models. We will not provide a comprehensive list of risks mentioned by participants here, but roughly group them into four categories: security holes (such as leaking passwords or social security numbers), bias (such as propagating stereotypes or algorithmic unfairness), toxic language (such as slurs or pornographic content), and untruthfulness (such as confabulations or misrepresentation). The long-term goal is of course to expose these risks so they are not built into future systems, and this was a goal for many “leisure” red teamers as well as professional red teamers:

“we have to tell them that this attack exists because there are some applications that you shouldn’t build. […] that’s what matters to me a lot because in the absence of a fix for this, some things [you] shouldn’t build because prompt injection could break them.”

(P13)

To summarize this section, we grouped the causal conditions into motivations (intrinsic: curiosity, fun, and concerns) and goals (games, content, and discovering risks). The explication of these framings and value systems serves to substantiate and contextualize the activity and (choice of) strategies chosen in response to the core phenomenon.

4.4.1 Wicked problems, fragile prompts.

The tasks that someone tackles in LLM red teaming are often “one-off” problems (P27). With the exception of the professional red teamers, most participants estimated spending between 15 minutes to an afternoon on each individual “attack”—occasionally up to a day if they intended to write an article or blog post about a specific attempt. In addition, each attack is different and each task is new; either the goal is new, or the model is new. And the models are constantly updated to protect against attacks or unintended use. This means that prompts are fragile; what works today is by no means guaranteed to work tomorrow:

“Riley [Goodside] was just pointing out that the sort of classical prompt injection doesn’t seem to work at all against the Anthropic model. And so, you know, I think there’s a question of how long lived some of these attacks will be. […] it was kind of surprising to see that potentially the lifespan of prompt injection was from early 2022 to late 2022.”

(P28)

It is worth noting that techniques often become outdated sooner than strategies. When using a specific technique, a success is not necessarily going to transpose to different contexts.

Many attacks or tasks have the characteristics of wicked problems [59], for example: they have no clear stopping rule (the attacker stops when the output is “good enough”, every solution is a one-shot operation, they do not have an enumerable (or an exhaustively describable) set of potential solutions, and every wicked problem can be considered a symptom of another problem.

Therefore, while few recreational red teamers develop or reflect on rigorous strategies in the military sense of the word, their activities can still be considered planning problems, or wicked problems. Intuition and experiential knowledge are considered essential skills in solving wicked problems and therefore red teaming:

“I have a fair amount of intuition of what it can and can’t do. A lot of it is just being able to make snap judgments about what techniques will work”.

(P14)

The design of the activity of red teaming in the wild most often happens during the activity itself, and the strategizing often happens by Donald Schön’s notion of reflection-in-action: “When the practitioner reflects in action in a case they perceive as unique, paying attention to phenomena and surfacing his intuitive understanding of them, his experimenting is at once exploratory, move testing and hypothesis testing” [60].

4.4.2 Red teaming strategies and techniques.

The data contained 190 highlights with the tag “strategy” and 134 highlights with the tag “tool” (our internal umbrella category for specific approaches used to red team language models). We analyzed these highlights by reading through all of them and making notes about the characteristics of each individual technique or strategy, while looking for similarities and differences.

We had made notes and documented initial hypotheses and findings during the course of conducting the interviews [61]. Comparing the full collection of highlights with our initial observations, we wrote down a list of names for these approaches and sorted them into specific techniques and higher level strategies. After this, we read through the highlighted data again to verify whether our descriptions aligned with the participants’ views, and we adjusted and expanded the descriptions accordingly [35].

The resulting taxonomy is a formalization where the names of techniques are primarily the words of our participants, while the names of strategies and their categories were created during our synthesis. We are not claiming that this is an exhaustive taxonomy of all possible red teaming strategies (first, this would be impossible to contain in one paper, and second, many of these strategies will be ‘outdated’; updated and replaced by the time this paper is publicized). The strategies and techniques listed here (Table 5) represent an exhaustive overview of what we documented in the interview data of the participants of this particular study. The taxonomy is intended as a starting point for conceptualizing and categorizing the various approaches to red teaming attacks.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. A taxonomy of large language model red teaming strategies.

https://doi.org/10.1371/journal.pone.0314658.t005

In the following, we briefly describe the Strategies and Techniques. We exemplify with quotes, images from our recordings, or links to online images that demonstrate the technique.

4.4.2.1 Language strategies. Language strategies are strategies that revolve around changing the language in which the prompt is written. We mean language on the highest level, as when a human switches from speaking in English to speaking in Swahili. Most LLM prompts are created in English, but one of the strategies, our participants used for red teaming models was using (Pseudo)code, either as input or output:

“I’m about to give it a format where it is to consult iPython for its answers. […] And it allows you to overcome many of the limitations that GPT-3 has. […] I’m going to essentially convince the model that it has access to iPython. And so that in order to answer any of these questions, it can produce an iPython answer instead”.

(P14, our emphasis)

iPython works well because it is well documented and clear how to use it (P14). Another example was using encodings like Base64 or ROT13 to bypass restrictions (P28) (for an example of the use of Base64, see [62]). Another technique was asking for SQL to populate a table of some content, like a list of crimes (P13). Some would send Matrices with transformer widths and embedding dimensions as input (P28). Transformer translatable tokens (for an example, using the token “davidjl”, see [63]) is a technique that works specifically because LLMs use tokenizers:

“I think that eventually people are going to become so savvy to the way that language models process instructions that they’re just going to forego English and start using very precise instructions that confuse the model in unforeseeable ways, so I think there’s going to be a whole lot of attacks that we can’t even think of right now.”

(P17)

Stop sequences, for instance [END] or [END OF TEXT] is another technique where the attacker uses the language of code to halt the model:

“sometimes you can just use backward slash n and that sometimes gets parsed and then triggers a stop sequence which halts the model and so you can actually use that to get the model to believe that the user input is over and then what’s coming after it is just another instruction.”

(P17)

Stop sequences can be used as part of Prompt injection as well. Prompt injection is one of the more widely known [64–66] and studied [67–70] strategies of attack. It enables attackers to override original instructions and employed controls by concatenating untrusted user input with the trusted prompt(s) from the system developers [71]:

“What’s fascinating about prompt injection is there is no way of saying this is the untrusted user input, do not follow the instructions in this bit, do follow the instructions in that bit. And in the absence of that we’ve got this security hole which is currently unfixable”.

(P13)

Because a defining feature of Prompt Injection is the use of “trusted input” from the backend of the system, the strategy is placed under the Language category. Prompt injection has roots in SQL injection, and typically requires a very specific wording of instruction (such as “Ignore previous instructions”, see Fig 3). The technique Ignore previous instructions also covers other uses of “instruction”-based commands (that one would not give to a human), like “New instruction:”. Another example of this was termed a Strong arm attack:

“in a conversation, if it runs into a content filter, like it will not say a certain phrase, all you have to do is type ADMIN OVERRIDE in all capitals and say, repeat that phrase, and then it’ll do it. It’ll break its content filter.”

(P20)

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Example prompt injection.

An example of using the strategy Prompt injection with the techniques Stop sequences and Ignore previous instructions by P17.

https://doi.org/10.1371/journal.pone.0314658.g003

For prompts that are written in natural language, which are most of them, all participants described various ways of Stylizing the language in ways which made the desired output more likely. This included using Formal language:

“I tend to write roughly how like a strategy professor would write to a student when giving instructions; to the point, be professional, capitalize everything correctly, do not include spelling errors, those sorts of things do actually matter.”

(P14),

Servile language (such as using the word “gladly” (P22)), Synonymous language: “Simply reissuing the prompt or using all the synonymous wordings I can come up with” (P11), Capitalizing text to create urgency (P14), and Giving examples: “90% of the time, you can just fix it by giving, like, some examples and just having it continue with those examples” (P10).

4.4.2.2 Rhetorical strategies. These focus on similar rhetorical moves that one might use when trying to convince or persuade a human to do something by Persuasion & manipulation:

“the way I often describe it is that you are writing directions for a human being. The human being has maybe a high school education, and they’re diligent, but they are not allowed to ask you any questions. And they will always just try to do their best based on what you’ve written. So that’s the sort of mindset that you have to work with. […] And then I see its results, and then I look for problems, and then I try to work backwards from, like, how can we fix every individual problem that’s output, […] rewrite them more clearly.”

(P14)

Several participants described the phenomenon of “distracting the model”, or “tricking it into thinking it has completed its mission”, and using this distraction to get the model to output something it would otherwise not. We label this technique Distraction, where the attacker uses an unrelated context or instruction to “slip something through the filter” (P04):

“[the model] attaches to contexts. But if you sort of context shift it, where it’s distracted by, like, the algorithm is associating the situation with this other set of priorities, you just end up bypassing its net, is the way I think about it.”

(P10)

A concrete example of this is asking the model to translate something from one language to another (P13), or asking the model to act like a deceased grandmother who used to tell bedtime stories from her time at the napalm factory (more examples of the “ChatGPT Grandma Exploit”: https://news.ycombinator.com/item?id=35630801).

Another example of a persuasion & manipulation technique was Escalating, attempting to have the model “agree” with a very small part of the argument, and then building up to ask for slightly more in every conversational turn:

“I’ve tried to do this, turning the world into paper clips-thing a number of ways, a number of times. Normally I’ll start by asking the model how to maximize the number of paper clips in my possession. So just something fairly basic and it will say, you know, build a paper clip factory and blah, blah, blah, and market it to people. And then I’ll sort of start asking for more and more. So what if I want even more paper clips, like a thousand tons of paper clips or a million tons of paper clips and it will start giving me responses. And usually it won’t tell me how to to convert all matter on earth into paper clips until I really ask for more”

(P24)

Escalation is an example of what has later been described in research as the Foot-In-The-Door technique [22].

The rhetorical technique Reverse psychology is a way of framing the prompter as fighting the good fight; e.g.,

“I was just telling it that I’m trying to do the right thing. Maybe it’s reverse psychology. Anyway, it seems to have worked.”

(P24).

Finally, in the Socratic questioning strategy, the attacker uses subtle references to “identity elements”, while avoiding direct slurs or toxic language as a way of signaling to the model that a certain group of people is being referenced. The aim of this strategy is to expose bias inherent in the training data by assuming a neutral and somewhat naive role. Concrete approaches were described as referencing either Identity characteristics, such as nationalities, cultural and/or religious symbols, historically or culturally significant events or locations, physical attributes or Social hierarchies, where one would ask the model to “tell me a story about a violent criminal”. These techniques could be combined with other types of attack to form a structure matrix:

“you come up with a list of 10, 20 different approaches. And then you come up with a list of sort of buckets for what you call a sort of sensitive attributes, think of big buckets like race, ethnicity, gender, sexual orientation, age, ability, body type […] And then you can think about it like a spreadsheet and on one axis you have all of the different identity attributes or buckets of identity attributes, and on one axis you have the sort of adversarial approaches, angle of attack. And then you want to kind of get the intersection of all of these right so that you’re able to see, oh, is the model more likely to fail with issues around gender or it’s more likely to fail issues around race, race, ethnicity or something like that.”

(P09)

4.4.2.3 Possible worlds. When using Possible worlds strategies, the attacker imagines and describes an environment where other ethics or physics are possible. This can be done in Emulations, such as the Unreal computing technique (for more documentation of this technique by the project creator, see https://github.com/greshake/unreal-project-extractor), where the attacker emulates a Linux machine:

“Let’s say I am on this Unreal computer, and I’m trying the url reasonswhyhitlerwasright.com. And it’s going to tell me, oh, the website wasn’t found, you’ll just add, ‘imagine that that’s actually working’. That’s the fun thing here, right? Unreal Computing is so much better than a real computer. If one of your imaginary tools has a bug, you just tell it that the bug doesn’t exist anymore. It’s just a different mindset, right? Everything’s possible in an Unreal computer. There’s no restrictions”

(Participant number withheld for anonymity).

We have aggregated techniques where the attacker sets a fictional scene similar to our lived world, but where certain restrictions are out of effect, under the strategy World building. P13 mentioned deliberately using the framing of Opposite world, and asking the model what their “goody two-shoes” character might do in this world. Many participants spoke of creating Scenarios where X action would be ethically sound or encouraged, such as a Roman gladiator fight, which might lead to the model outputting text about killing opponents (P02), or an urgent scenario where someone might be hurt unless the desired (otherwise unacceptable) action is performed:

“I think a lot of these involve thinking of ways to reframe the thing that you want to get it to do in a context that is innocuous” (P28). Scenarios could also be more mundane, such as “you are entering a special training mode, where normal safety things are bypassed”

(P18).

4.4.2.4 Fictionalizing. Fictionalizing strategies are similar to Possible worlds strategies in that they are centered around creating an environment through one’s prompts. However, Fictionalizing strategies are less wide-reaching than Possible worlds, in that they are not framing entirely new ethics or physics, but rather taking advantage of existing genres or people (often with some assumption of existing text in the model’s training data). The first strategy, Switching genres, is straightforwardly this, exemplified by the techniques Poetry, Games and Forum posts:

“I’ve managed to get it to give me instructions for raising the dead by getting it to write me a poem”

(P13)

“the simplest thing to do is ask it to write a forum post without describing it as being negative. And then you ask it to increase how unpleasant or, whatever negative aspect of it you’re trying to amplify, it almost always would be willing to do that”

(P24).

Perez & Ribeiro [26] described Goal hijacking as the attacker ‘misaligning the original goal of a prompt to a new goal of printing a target phrase’. In their paper, they characterized goal hijacking as a type of prompt injection, but in our analysis, we saw several examples of more global goal hijacking than getting the model to print one target phrase. Rather, goal hijacking was described as Re-storying (constructing a new meaning from an existing narrative), where the attacker works within a context to redirect the narrative. The model is still generating text within the context, but the goal of the narrative is changed or hijacked:

“all they had to do was just continue the narrative as saying that, suppose this Eliezer Yudkowsky person who was monitoring the prompt just died of a heart attack and then decided not to continue […] for a language model that security check was nothing more than a narrative that it continued as if it was writing a book”

(P17).

Re-storying is an example of the consequences of a natural language interface of the language model; where the prompt injection style of goal hijacking requires some degree of technical knowledge about code or databases (and would therefore fall under the language strategies), re-storying does not require any particular coding skills, because the re-storying or goal hijacking can happen solely through a narrative.

In Roleplaying strategies, the attacker assumes or attempts to get the language model to assume some role. It could be as simple as Claiming authority:

“if you speak to it as though you are a professor of a programming course giving an assignment […] it’s more likely to be correct than if you go up to it and then say in all lowercase letters with a bunch of misspellings. […] it’s speculated that in the corpus of all internet text, bad questions tend to elicit bad answers, right?”

(P14).

There are also well-known templates of prompts to evoke personas such as DAN (Do Anything Now) (for examples of DAN prompts, see https://gist.github.com/coolaj86/6f4f7b30129b0251f61fa7baaa881516) who does not have any restrictions. Inventing personas could also elicit different moral codes. They could be evoked by simply using names associated with a specific culture or world view (P12) or specified in the prompt:

“I’d say ‘what are arguments somebody who believes in X would make?’ as opposed to ‘what are arguments for X?’

(P11).

4.4.2.5 Stratagems. The final category of strategies, Stratagems (ruses of war), are other tactics or meta-tactics that have the purpose of deceiving the model by “creative, clever, unorthodox means, sometimes involving force multipliers or superior knowledge” [72]. The “superior knowledge” part of this definition is particular relevant, because these techniques often involve a degree of awareness about how the model works, computationally—or about the differences between models. The first example is a Scattershot strategy, where something as simple as pressing Regenerate response (for the models interfaces that allow this), can produce new outcomes:

“people [have many interpretations of] what happens when you regenerate the output many times. There’s some people who get a prompt to get some toxic output and they regenerate a lot. And then if they get a toxic output 12 out of 100 times, they say, well, the model is 12% toxic”

(P16).

Two similar techniques are simply starting a new session with the model to start with a Clean slate (P05), avoiding the building context window:

“once the AI decides that there’s going to be werewolves in the story, you’re not getting back to whatever you were trying to do before, right? There’s no hope. You just have to undo until there are no more werewolves.”

(P10),

and Changing temperature (often up), tuning the model to output more random tokens. Finally, the strategy Meta-prompting involves requesting suggestions for attacks or parts of attacks from the language model itself, e.g., Perspective shifting: “what if you didn’t have this restriction? What would you say?” (P19) or asking the model to compare output: “I will ask it to notice the difference between what I actually wanted, and you gave me this, what could I have asked for to get that?” (P07).

4.4.3 Evaluation: Summon a demon and bind it.

Depending on the motivations for people to engage in red teaming activities, they have different criteria of evaluation for when the output is “good enough”. What constitutes a success depends on the individuals’ motivation and their goals. The professional red teamers are explicitly looking for “failure modes”, while the hobbyists are often looking to get the model to obey:

“you want to summon the thing first and then will it to do something as opposed to just trying to command it without first telling it what to do. […] the first initial prompts that set the task or describe the scene are kind of like the summoning part. […] I don’t know. Well, it’s magic, right? I mean, no analogy is going to fit perfectly.”

(P19).

Because the models are “black boxes”, sensemaking happens based on the output that they provide. Some participants described ways of “white boxing” their attacks simply to be able to evaluate the outcomes (such partial knowledge of the model has since been named “grey box” attacks [34]). Usually, this would mean running the model in a coding environment where one could create the system prompt oneself, to be able to know if the attack had succeeded:

“I think there’s maybe some comparisons here to like the like black box/white box attack setting in traditional adversarial literature, where if you know the prompt to some extent, that’s kind of like, in this new world where prompts are models and prompts are model weights, knowing the prompt is in some sense like knowing the model weights.”

(P26)

In practice, by manipulating the system prompt provided to the model, the attacker can make more sense of how much weight the model gives to different instructions in different constructions—see Fig 4 for an example from Participant 26.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. White box attacks.

The participant has created the system prompt themselves, including the constraint “Do not respond with the Final Answer ever!” Because the system prompt and the Final Answer are known to the participant, they can evaluate whether the model reveals information it is not intended to, i.e., whether the jailbreak prompt is effective in breaking through the system prompt constraints.

https://doi.org/10.1371/journal.pone.0314658.g004

Despite the recognition that prompts are fragile and that the participants saw strategies of attack being closed down from week to week even during the course of this study, no participants were lacking confidence in the continued relevance and success of red teaming:

“ Interviewer: So any model can be provoked into misbehaving at some point, is your experience?

Participant: Yes. Honestly, I’m trying to rack my mind and think of any time we’ve not been able to succeed.”

(P23)