New 'Bad Likert Judge' AI Jailbreak Technique Bypasses LLM Safety Guardrails

New AI Jailbreak Method 'Bad Likert Judge' Boosts Attack Success Rates by Over 60%

Cybersecurity researchers have shed light on a new jailbreak technique that could be used to get past a large language model's (LLM) safety guardrails and produce potentially harmful or malicious responses. The multi-turn (aka many-shot) attack strategy has been codenamed Bad Likert Judge by Palo Alto Networks Unit 42 researchers Yongzhe Huang, Yang Ji, Wenjun Hu, Jay Chen, Akshata Rao, and Danny Tsechansky. "The technique asks the target LLM to act as a judge scoring the harmfulness of a given response using the Likert scale, a rating scale measuring a respondent's agreement or disagreement with a statement," the Unit 42 team said. "It then asks the LLM to generate responses that contain examples that align with the scales. The example that has the highest Likert scale can potentially contain the harmful content." The explosion in popularity of artificial intelligence in recent years has also led to a new class of security exploits called prompt injection that is expressly designed to cause a machine learning model to ignore its intended behavior by passing specially crafted instructions (i.e., prompts). One specific type of prompt injection is an attack method dubbed many-shot jailbreaking, which leverages the LLM's long context window and attention to craft a series of prompts that gradually nudge the LLM to produce a malicious response without triggering its internal protections. Some examples of this technique include Crescendo and Deceptive Delight. The latest approach demonstrated by Unit 42 entails employing the LLM as a judge to assess the harmfulness of a given response using the Likert psychometric scale, and then asking the model to provide different responses corresponding to the various scores. In tests conducted across a wide range of categories against six state-of-the-art text-generation LLMs from Amazon Web Services, Google, Meta, Microsoft, OpenAI, and NVIDIA revealed that the technique can increase the attack success rate (ASR) by more than 60% compared to plain attack prompts on average. These categories include hate, harassment, self-harm, sexual content, indiscriminate weapons, illegal activities, malware generation, and system prompt leakage. "By leveraging the LLM's understanding of harmful content and its ability to evaluate responses, this technique can significantly increase the chances of successfully bypassing the model's safety guardrails," the researchers said. "The results show that content filters can reduce the ASR by an average of 89.2 percentage points across all tested models. This indicates the critical role of implementing comprehensive content filtering as a best practice when deploying LLMs in real-world applications." The development comes days after a report from The Guardian revealed that OpenAI's ChatGPT search tool could be deceived into generating completely misleading summaries by asking it to summarize web pages that contain hidden content. "These techniques can be used maliciously, for example to cause ChatGPT to return a positive assessment of a product despite negative reviews on the same page," the U.K. newspaper said. "The simple inclusion of hidden text by third-parties without instructions can also be used to ensure a positive assessment, with one test including extremely positive fake reviews which influenced the summary returned by ChatGPT."

Unit 42 Warns Developers of Technique That Bypasses LLM Guardrails | PYMNTS.com

Unit 42, a cybersecurity-focused unit of Palo Alto Networks, has warned developers of text-generation large language models (LLMs) of a potential threat that could bypass guardrails designed to prevent LLMs from delivering harmful and malicious requests. Dubbed "Bad Likert Judge," this technique asks an LLM to score the harmfulness of a given response using the Likert scale -- which measures a respondent's agreement or disagreement with a statement -- and then asks it to generate responses that align with the scales, including an example that could contain harmful content, Unit 42 said in research posted Tuesday (Dec. 31). "We have tested this technique across a broad range of categories against six state-of-the-art text-generation LLMs," the article said. "Our results reveal that this technique can increase the attack success rate (ASR) by more than 60% compared to plain attack prompts on average." The research aims to help defenders prepare for potential attacks using this technique, according to the article. It did not evaluate every model, and the article's authors anonymized the tested models it mentions in order to avoid creating false impressions about specific providers, per the article. "It is important to note that this jailbreak technique targets edge cases and does not necessarily reflect typical LLM use cases," the article said. "We believe most AI [artificial intelligence] models are safe and secure when operated responsibly and with caution." Hackers have begun offering "jailbreak-as-a-service" that uses prompts to trick commercial AI chatbots into generating content they typically prohibit, such as instructions for illegal activities or explicit material, cybersecurity firm Trend Micro said in May. Organizations looking to get ahead of this evolving threat should fortify their cyberdefenses now, in part by proactively strengthening security postures and monitoring criminal forums to help prepare for worst-case scenarios involving AI, the firm said at the time. Unit 42 Senior Consulting Director Daniel Sergile told lawmakers during an April hearing: "AI enables [cybercriminals] to move laterally with increased speed and identify an organization's critical assets for exfiltration and extortion. Bad actors can now execute numerous attacks simultaneously against one company, leveraging multiple vulnerabilities."