首页|期刊导航|四川大学学报(自然科学版)|面向优化的大语言模型黑盒越狱攻击研究综述

面向优化的大语言模型黑盒越狱攻击研究综述OA

A review of black-box jailbreak attacks on large language models for optimization

中文摘要英文摘要

大型语言模型(Large Language Models,LLMs)在自然语言处理领域展现出强大的能力,但其安全漏洞,尤其是越狱攻击已成为当前的核心挑战.越狱攻击利用精心构造的对抗性提示突破模型的安全对齐机制,揭示了基于人类反馈强化学习(Reinforcement Learning from Human Feedback,RLHF)等对齐技术的局限性.当前基于模版或者手工设计的越狱方法因其成功率低且泛化性差,在持续迭代的LLMs安全机制下迅速失效.而基于优化的越狱方法凭借其自动生成对抗性提示的能力,在攻击成功率和隐蔽性方面表现显著,能够有效规避常规检测手段.针对白盒攻击对梯度信息的依赖与迁移性差等问题,本文聚焦黑盒优化范式,首次系统性地将现有越狱方法归纳为4类框架:基于遗传算法的优化、基于强化学习的优化、基于模糊测试的优化和基于LLMs对抗生成的优化.深入剖析各类方法的核心机制、技术优势与约束.本文的主要贡献在于提出一种新颖的分类体系与研究视角,明确指出现有防御手段在实时性、泛化性和攻防平衡方面的严重不足,并进一步倡导构建动态化防御架构与标准化评估基准,为探索LLMs在对抗环境中的安全性与性能平衡机制提供理论支持与实践指引.

Large Language Models(LLMs)have demonstrated remarkable capabilities in Natural Language Processing(NLP).However,their security vulnerabilities,particularly jailbreak attacks,pose a critical chal-lenge.These attacks circumvent safety alignment mechanisms through carefully crafted adversarial prompts,revealing the limitations of alignment techniques like Reinforcement Learning from Human Feedback(RLHF).Template-based or manually crafted jailbreak methods typically exhibit low success rates and poor generalization,and they rapidly become obsolete as LLM safety mechanisms evolve.In contrast,optimization-based methods automatically generate adversarial prompts,leading to higher success rates and better stealthiness that effectively bypass common detection mechanisms.To overcome the limitations of white-box attacks,such as their reliance on gradients and limited transferability,the review investigates the black-box optimization paradigm and presents the first systematic taxonomy of jailbreak methods:Genetic Al-gorithm(GA)-based,Reinforcement Learning(RL)-based,Fuzzing-based,and LLM-based Adversarial Optimization.We delve into the core mechanisms,technical strengths,and limitations of each category.The primary contribution of this survey is proposing a novel taxonomy that critically examines existing defenses'deficiencies in real-time performance,generalizability,and attack-defense balance.It further advocates for dy-namic defense architectures and standardized benchmarks,thereby providing a theoretical foundation and prac-tical guidance for balancing the security and performance of LLMs in adversarial settings.

陶佳玲;黄松;高心怡;方勇;曲豫宾;李瑞阳;陆江涛

中国人民解放军陆军工程大学指挥控制工程学院,南京 210001中国人民解放军陆军工程大学指挥控制工程学院,南京 210001四川大学网络空间安全学院,成都 610065四川大学网络空间安全学院,成都 610065中国人民解放军陆军工程大学指挥控制工程学院,南京 210001||江苏工程职业技术学院信息工程学院,南通 226001中国人民解放军陆军工程大学指挥控制工程学院,南京 210001中国人民解放军陆军工程大学指挥控制工程学院,南京 210001

信息技术与安全科学

大语言模型优化越狱攻击越狱防御

LLMsoptimizationjailbreak attackjailbreak defence

《四川大学学报(自然科学版)》 2026 (2)

241-258,18

国家自然科学基金(U24B20147)

10.19907/j.0490-6756.250250

评论