Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities of the Rapid Response (RR) framework, which is designed to enhance jailbreak detection in AI systems, by demonstrating how prompt injection can be used to introduce poisoned samples into its training set. The authors identify two distinct attack strategies: targeted poisoning that misclassifies benign inputs as jailbreaks, and concept-based backdoor attacks that lead to false negatives on actual jailbreaks. Remarkably, these attacks can achieve up to 100% false positive rates and 96% false negative rates with only a 1% poisoning rate, highlighting a critical security flaw in current defenses.
A mere 1% of poisoned samples can flip classifier labels, leading to catastrophic false positives and negatives in jailbreak detection systems.
The Rapid Response (RR) framework, deployed in production systems, including Anthropic's ASL-3 safeguards, continuously improves jailbreak-detection classifiers. When new jailbreaks emerge that bypass these classifiers, Rapid Response generates synthetic variants for training, helping the model generalize from the new attacks and quickly adapt. We reveal that prompt injection can infiltrate this pipeline to deliver poisoned samples into the classifier's training set, enabling two attack objectives: (I) targeted poisoning attacks that create false positives on harmless samples by categorizing them as a jailbreak, with a specific desired feature (e.g., certain formatting, subject, or keyword), (II) concept-based backdoor attacks that induce false negatives on jailbreak inputs, generalizing even to jailbreaks from attack strategies the defender explicitly trained against, when the backdoor trigger is present. Importantly, our threat model restricts adversaries to modifying only jailbreak samples (not benign data or labels), a constraint unexplored by prior work that makes the second objective particularly challenging. We address this with Omission Attack, which exploits a new phenomenon: when training on concept-absent unsafe samples, the classifier misassociates that concept's presence with the safe label. Both attacks cause substantial and in some cases near-complete label flipping at only a 1% poisoning rate, achieving up to 100% false positive rates and up to 96% false negative rates.