Search papers, labs, and topics across Lattice.
This paper investigates the positional vulnerability of large language models (LLMs) to jailbreak attacks by exploring various candidate positions, or "slots," within prompts for token insertion. The authors introduce the Vulnerable Slot Score (VSS) to quantify these vulnerabilities and propose SlotGCG, an optimization-based attack that targets the most vulnerable slots identified by VSS. Experimental results show that SlotGCG achieves a 14% higher Attack Success Rate compared to traditional Greedy Coordinate Gradient methods, converges faster, and demonstrates enhanced robustness against defenses.
SlotGCG reveals that the position of adversarial tokens can dramatically increase jailbreak attack success, outperforming existing methods by a significant margin.
As large language models (LLMs) are widely deployed, identifying their vulnerability through jailbreak attacks becomes increasingly critical. Optimization-based attacks like Greedy Coordinate Gradient (GCG) have focused on inserting adversarial tokens to the end of prompts. However, GCG restricts adversarial tokens to a fixed insertion point (typically the prompt suffix), leaving the effect of inserting tokens at other positions unexplored. In this paper, we empirically investigate \emph{slots}, i.e., candidate positions within a prompt where tokens can be inserted. We find that vulnerability to jailbreaking is highly related to the selection of the \emph{slots}. Based on these findings, we introduce the \textit{Vulnerable Slot Score} (VSS) to quantify the positional vulnerability to jailbreaking. We then propose SlotGCG, which evaluates all slots with VSS, selects the most vulnerable slots for insertion, and runs a targeted optimization attack at those slots. Our approach provides a position-search mechanism that is attack-agnostic and can be plugged into any optimization-based attack, adding only 200ms of preprocessing time. Experiments across multiple models demonstrate that SlotGCG significantly outperforms existing methods. Specifically, it achieves 14\% higher Attack Success Rates (ASR) over GCG-based attacks, converges faster, and shows superior robustness against defense methods with 42\% higher ASR than baseline approaches. Our implementation is available at \href{https://github.com/youai058/SlotGCG}{https://github.com/youai058/SlotGCG}