← Back to Library

Universal Jailbreak Suffixes Are Strong Attention Hijackers

Authors: Matan Ben-Tov, Mor Geva, Mahmood Sharif

Published: 2025-06-15

arXiv ID: 2506.12880v1

Added to Library: 2025-06-17 03:01 UTC

Red Teaming

📄 Abstract

We study suffix-based jailbreaks$\unicode{x2013}$a powerful family of attacks against large language models (LLMs) that optimize adversarial suffixes to circumvent safety alignment. Focusing on the widely used foundational GCG attack (Zou et al., 2023), we observe that suffixes vary in efficacy: some markedly more universal$\unicode{x2013}$generalizing to many unseen harmful instructions$\unicode{x2013}$than others. We first show that GCG's effectiveness is driven by a shallow, critical mechanism, built on the information flow from the adversarial suffix to the final chat template tokens before generation. Quantifying the dominance of this mechanism during generation, we find GCG irregularly and aggressively hijacks the contextualization process. Crucially, we tie hijacking to the universality phenomenon, with more universal suffixes being stronger hijackers. Subsequently, we show that these insights have practical implications: GCG universality can be efficiently enhanced (up to $\times$5 in some cases) at no additional computational cost, and can also be surgically mitigated, at least halving attack success with minimal utility loss. We release our code and data at http://github.com/matanbt/interp-jailbreak.

🔍 Key Points

  • The paper investigates suffix-based jailbreaks, specifically the GCG attack, and demonstrates that suffixes vary significantly in their efficacy, with some showing marked universality across diverse harmful instructions.
  • It identifies a key mechanism of effectiveness in GCG jailbreaks as a shallow information flow critical to the attack's success, highlighting that suffixes hijack contextualization processes in language models.
  • The study quantitatively characterizes the dominance of adversarial suffixes in language model chat representations, establishing a correlation between hijacking strength and suffix universality.
  • Importantly, it provides practical strategies for enhancing jailbreak universality without extra computational cost and for surgically mitigating GCG attacks with minimal loss in model utility.
  • The research contributes to the field of interpretability by applying mechanistic analysis, revealing insights into how adversarial tokens manipulate language model outputs.

💡 Why This Paper Matters

This paper is highly relevant in the context of AI security as it addresses the vulnerabilities of large language models to jailbreaks, demonstrating a sophisticated understanding of attack mechanisms. Such insights are crucial for researchers aiming to reinforce model safety and develop effective defense strategies against adversarial attacks.

🎯 Why It's Interesting for AI Security Researchers

AI security researchers will find this paper significant due to its exploration of adversarial attacks on language models, an increasingly important area as these models are deployed in various sensitive applications. The findings on hijacking mechanisms and the proposed enhancement and mitigation strategies provide a foundation for future research aimed at improving model robustness and minimizing risks associated with unsafe AI outputs.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF