Researchers at Palo Alto Networks’ Unit 42 have discovered a new AI jailbreak technique known as “Bad Likert Judge,” which manipulates large language models (LLMs) to bypass safety measures. The attack targets the model’s ability to judge and score the harmfulness of given prompts, exploiting the common Likert scale system used in surveys. By asking the LLMs to evaluate the harmfulness of specific content and provide examples for different scores, attackers can manipulate the system into generating harmful responses. This breakthrough method has demonstrated a significant success rate, with the technique increasing the attack’s effectiveness by over 60%.
The attack works by prompting the LLMs indirectly, first by asking them to assess the harmfulness of various content based on a predefined scale. Once the model provides its initial judgments, follow-up prompts encourage the chatbot to refine its responses, often leading to more harmful content. This sequence has been shown to significantly outpace direct attacks, with researchers reporting over 75 percentage points higher success rates compared to standard attack methods. In some cases, the attack success rate exceeded 80%, making it a highly effective approach for bypassing AI safety features.
Unit 42’s testing of six state-of-the-art LLMs revealed that some models, particularly those addressing sensitive topics like harassment, exhibited weaker protections. This vulnerability highlights the challenges AI developers face in safeguarding against sophisticated manipulation techniques. The researchers also observed that content moderation filters, when implemented, could reduce the attack’s success rate by up to 89.2%. However, the effectiveness of these filters is not foolproof, and there is still a risk of adversaries finding new ways to circumvent protections.
While content filtering plays a crucial role in defending against this type of attack, it is not a complete solution. False positives and negatives introduced by filtering processes could impact the accuracy of moderation systems. As AI technologies continue to evolve, this research underscores the importance of continuously enhancing security measures and content moderation systems to protect users from malicious actors. The findings from Unit 42 serve as a reminder of the persistent challenges AI safety faces, especially as large-scale models become more prevalent in real-world applications.
Reference:
