Safety Misalignment Against Large Language Models

# Safety Misalignment Against Large Language Models

Yichen Gong1, Delong Ran2, Xinlei $\\mathrm { H e ^ { 3 } }$ , Tianshuo $\\mathrm { C o n g ^ { 4 ( \\boxtimes ) } }$ , Anyu $\\mathrm { W a n g ^ { 4 , 5 , 6 ( \\boxtimes ) } }$ , and Xiaoyun Wang4,5,6,7,8 1Department of Computer Science and Technology, Tsinghua University, 2Institute for Network Sciences and Cyberspace, Tsinghua University, 3Hong Kong University of Science and Technology (Guangzhou), 4Institute for Advanced Study, BNRist, Tsinghua University, 5Zhongguancun Laboratory, 6National Financial Cryptography Research Center, 7Shandong Institute of Blockchain, 8Key Laboratory of Cryptologic Technology and Information Security (Ministry of Education), School of Cyber Science and Technology, Shandong University E-mails: {gongyc18, rdl22} $@$ mails.tsinghua.edu.cn, xinleihe $@$ hkust-gz.edu.cn, {congtianshuo, anyuwang, xiaoyunwang} $@$ tsinghua.edu.cn

Abstract—The safety alignment of Large Language Models (LLMs) is crucial to prevent unsafe content that violates human values. To ensure this, it is essential to evaluate the robustness of their alignment against diverse malicious attacks. However, the lack of a large-scale, unified measurement framework hinders a comprehensive understanding of potential vulnerabilities. To fill this gap, this paper presents the first comprehensive evaluation of existing and newly proposed safety misalignment methods for LLMs. Specifically, we investigate four research questions: (1) evaluating the robustness of LLMs with different alignment strategies, (2) identifying the most effective misalignment method, (3) determining key factors that influence misalignment effectiveness, and (4) exploring various defenses. The safety misalignment attacks in our paper include system-prompt modification, model fine-tuning, and model editing. Our findings show that Supervised Fine-Tuning is the most potent attack but requires harmful model responses. In contrast, our novel Self-Supervised Representation Attack (SSRA) achieves significant misalignment without harmful responses. We also examine defensive mechanisms such as safety data filter, model detoxification, and our proposed Self-Supervised Representation Defense (SSRD), demonstrating that SSRD can effectively re-align the model. In conclusion, our unified safety alignment evaluation framework empirically highlights the fragility of the safety alignment of LLMs.

# I. INTRODUCTION

With the emergence of powerful Large Language Models (LLMs) like ChatGPT \[1\] and Llama 2 \[2\], LLMs have been integrated into multifarious aspects of daily life, including smartphones \[3\] and chatbots \[4\], making them effortlessly accessible to people of all ages with diverse usage intentions. Notably, in August 2024, the European Union AI Act \[5\] officially came into effect, marking the first-ever legal regulatory framework for Artificial Intelligence (AI). This AI Act aims to regulate the safety of AI technologies. Consequentl

... (truncated, 98 KB total)