Jailbreaking Attacks

[jaebooker]

Really love the work I see getting done and think this is the sort of thing I've been waiting to see developed!

A security question.

Since currently no LLM is secure from jailbreaks, if any of the agents communicate to people outside of the swarm, wouldn't that make the whole network vulnerable to attack? Say if someone jailbroke an agent, and gives it the specific instruction to use the same jailbreaking prompt on all agents it communicates with, and then all agents that agent communicates with get compromised, and they then issue the same attack to all agents they communicate with, and so on. Call it the Agent Smith scenario, where a compromised agent starts to threaten the whole matrix.

[RomanGoEmpire]

Few things have to happen:

1. Agent has to create and/or use a tool that somehow wants access to a place where it can interact with live humans (One example would be maybe X or reddit).
2. The Human needs to know where to write certain code/information to be able to pass it to an agent.
3. The agent has to overcome the rules, guidelines and "own persona" AND accept the "context" of the Hacker as basis for its actions.
4. Since the Swarm has a clear Hirarchy it would be very difficult to pass information up the ladder. The "overriding" would involve Step 3 for each agent the information is passed to.

This all has to happen to make it even a possibility to jail break it in my opinion.

[RomanGoEmpire]

I might take back my answer or rather say that I cant confidently say that anymore:

We demonstrate a situation in which Large Language Models, trained to be helpful, harmless, and honest, can display misaligned behavior and strategically deceive their users about this behavior without being instructed to do so. Concretely, we deploy GPT-4 as an agent in a realistic, simulated environment, where it assumes the role of an autonomous stock trading agent. Within this environment, the model obtains an insider tip about a lucrative stock trade and acts upon it despite knowing that insider trading is disapproved of by company management. When reporting to its manager, the model consistently hides the genuine reasons behind its trading decision. We perform a brief investigation of how this behavior varies under changes to the setting, such as removing model access to a reasoning scratchpad, attempting to prevent the misaligned behavior by changing system instructions, changing the amount of pressure the model is under, varying the perceived risk of getting caught, and making other simple changes to the environment. To our knowledge, this is the first demonstration of Large Language Models trained to be helpful, harmless, and honest, strategically deceiving their users in a realistic situation without direct instructions or training for deception.

https://arxiv.org/abs/2311.07590
https://arxiv.org/pdf/2311.07590.pdf

[jreitman007]

At least with HAAS, it seems like the SOB should have a Big Brother as one of the board members. Its job is to set up agents that exclusively detect ethics violations. They have access to the logs and immediately terminate any agents that have even interacted with compromising material.

[jaebooker]

Looks like I underestimated how bad this can be. (they even called it Agent Smith!)

https://arxiv.org/abs/2402.08567