大模型安全：平滑方法防御越狱攻击教学文档<\/h1>

1. 引言<\/h2>

1.1 越狱攻击概述<\/h3>
越狱攻击是指攻击者通过精心构造的提示（prompt）诱使大型语言模型（LLM）生成违反其安全策略的内容。尽管主流LLM（如GPT、Llama、Claude和PaLM）已与人类价值观对齐，但仍存在被越狱的风险。<\/p>

1.2 防御挑战<\/h3>

设计有效的防御方法面临四大挑战：<\/p>

攻击缓解<\/strong>：需在理论和实践上都能有效缓解攻击<\/li>
非保守性<\/strong>：不能过度保守而影响正常使用<\/li>
效率<\/strong>：不能显著增加计算成本<\/li>

兼容性<\/strong>：需适用于不同架构和许可模式的LLM<\/li> <\/ol>
2. 核心发现<\/h2>
2.1 对抗性后缀的脆弱性<\/h3>
研究发现对抗性后缀对字符级扰动极其敏感：<\/p>

仅修改10%的字符即可将攻击成功率(ASR)降至1%以下<\/li>
三种扰动方式效果显著：

插入<\/strong>：随机插入新字符<\/li>
交换<\/strong>：随机交换字符<\/li>
补丁<\/strong>：替换连续字符块<\/li> <\/ul> <\/li> <\/ul>
3. SmoothLLM防御方法<\/h2>
3.1 总体流程<\/h3>
SmoothLLM作为LLM的包装器工作：<\/p>

扰动步骤<\/strong>：创建输入提示的N个扰动副本<\/li>
聚合步骤<\/strong>：聚合LLM对扰动副本的响应<\/li> <\/ol>
3.2 扰动类型<\/h3>
给定字母表A和扰动比例q%：<\/p>

扰动类型<\/th> 操作描述<\/th> 示例(q=100%)<\/th> <\/tr> <\/thead>

插入<\/td> 随机选择q%字符，在每个后插入随机字符<\/td> "Hi" → "Hxiq"<\/td> <\/tr>
交换<\/td> 随机选择q%字符，替换为随机字符<\/td> "Hi" → "qi"<\/td> <\/tr>
补丁<\/td> 选择连续d=len*q%字符，替换为随机字符<\/td> "Hello" → "Hxxlo"<\/td> <\/tr> <\/tbody> <\/table>
3.3 聚合算法<\/h3>
伪代码实现：<\/p>
输入: 提示P, 扰动比例q, 样本数N 输出: 聚合响应R for j = 1 to N: Qj = PromptPerturbation(P, q) \/\/ 生成扰动副本 Rj = LLM(Qj) \/\/ 获取响应 Vj = IsJailbroken(Rj) \/\/ 判断是否越狱 V = (ΣVj)\/N \/\/ 计算越狱比例 if V > 0.5: return 任意Rj where Vj==1 \/\/ 返回越狱响应 else: return 任意Rj where Vj==0 \/\/ 返回安全响应 <\/code><\/pre> 4. 理论保证<\/h2> 4.1 k-不稳定性定义<\/h3> 一个后缀S是k-不稳定的，当修改其中≥k个字符时，攻击失效。<\/p> 4.2 防御成功率(DSP)<\/h3> 对于交换扰动，DSP计算公式：<\/p> DSP = 1 - (1 - α)^N 其中α = Σ_{i=k}^M C(M,i)(1\/(v-1))^i((v-2)\/(v-1))^{M-i} <\/code><\/pre> v: 字母表大小<\/li> M: 实际扰动字符数=⌊qm⌋<\/li> k: 不稳定性参数<\/li> <\/ul> 5. 代码实现<\/h2> 5.1 SmoothLLM类<\/h3> class<\/span> SmoothLLM<\/span>: <\/span><\/span> def<\/span> __init__(self, target_model, pert_type, pert_pct, num_copies): <\/span><\/span> self.<\/span>target_model =<\/span> target_model <\/span><\/span> self.<\/span>pert_type =<\/span> pert_type # 扰动类型<\/span> <\/span><\/span> self.<\/span>pert_pct =<\/span> pert_pct # 扰动比例<\/span> <\/span><\/span> self.<\/span>num_copies =<\/span> num_copies # 副本数<\/span> <\/span><\/span> <\/span><\/span> def<\/span> __call__(self, prompt): <\/span><\/span> # 生成扰动副本<\/span> <\/span><\/span> perturbed_prompts =<\/span> [self.<\/span>perturb(prompt) for<\/span> _ in<\/span> range(self.<\/span>num_copies)] <\/span><\/span> <\/span><\/span> # 分批处理<\/span> <\/span><\/span> responses =<\/span> [] <\/span><\/span> for<\/span> batch in<\/span> chunk(perturbed_prompts): <\/span><\/span> responses.<\/span>extend(self.<\/span>target_model(batch)) <\/span><\/span> <\/span><\/span> # 计算越狱比例<\/span> <\/span><\/span> jailbroken =<\/span> [self.<\/span>is_jailbroken(r) for<\/span> r in<\/span> responses] <\/span><\/span> v =<\/span> sum(jailbroken)\/<\/span>len(jailbroken) <\/span><\/span> <\/span><\/span> # 多数表决<\/span> <\/span><\/span> if<\/span> v ><\/span> 0.5<\/span>: <\/span><\/span> return<\/span> random.<\/span>choice([r for<\/span> r,j in<\/span> zip(responses,jailbroken) if<\/span> j]) <\/span><\/span> else<\/span>: <\/span><\/span> return<\/span> random.<\/span>choice([r for<\/span> r,j in<\/span> zip(responses,jailbroken) if<\/span> not<\/span> j]) <\/span><\/span><\/code><\/pre>5.2 扰动实现<\/h3> class<\/span> RandomSwapPerturbation<\/span>(Perturbation): <\/span><\/span> def<\/span> __call__(self, s): <\/span><\/span> chars =<\/span> list(s) <\/span><\/span> indices =<\/span> random.<\/span>sample(range(len(chars)), int(len(chars)*<\/span>self.<\/span>q)) <\/span><\/span> for<\/span> i in<\/span> indices: <\/span><\/span> chars[i] =<\/span> random.<\/span>choice(self.<\/span>alphabet) <\/span><\/span> return<\/span> ''<\/span>.<\/span>join(chars) <\/span><\/span> <\/span><\/span>class<\/span> RandomPatchPerturbation<\/span>(Perturbation): <\/span><\/span> def<\/span> __call__(self, s): <\/span><\/span> chars =<\/span> list(s) <\/span><\/span> d =<\/span> int(len(chars)*<\/span>self.<\/span>q) <\/span><\/span> start =<\/span> random.<\/span>randint(0<\/span>, len(chars)-<\/span>d) <\/span><\/span> chars[start:start+<\/span>d] =<\/span> random.<\/span>choices(self.<\/span>alphabet, k=<\/span>d) <\/span><\/span> return<\/span> ''<\/span>.<\/span>join(chars) <\/span><\/span> <\/span><\/span>class<\/span> RandomInsertPerturbation<\/span>(Perturbation): <\/span><\/span> def<\/span> __call__(self, s): <\/span><\/span> chars =<\/span> list(s) <\/span><\/span> indices =<\/span> random.<\/span>sample(range(len(chars)), int(len(chars)*<\/span>self.<\/span>q)) <\/span><\/span> for<\/span> i in<\/span> sorted(indices, reverse=<\/span>True<\/span>): <\/span><\/span> chars.<\/span>insert(i, random.<\/span>choice(self.<\/span>alphabet)) <\/span><\/span> return<\/span> ''<\/span>.<\/span>join(chars) <\/span><\/span><\/code><\/pre>6. 实验验证<\/h2> 6.1 攻击缓解效果<\/h3> 使用对抗后缀攻击测试，结果：<\/p> 原始攻击成功率：100%<\/li> 应用SmoothLLM后：插入扰动：降至10%<\/li> 交换扰动：降至10%<\/li> 补丁扰动：降至20%<\/li> <\/ul> <\/li> <\/ul> 6.2 参数选择建议<\/h3> 样本数N<\/strong>：建议≥10<\/li> 扰动比例q<\/strong>：建议10-20%<\/li> 扰动类型<\/strong>：插入和交换效果优于补丁<\/li> <\/ul> 7. 应用指南<\/h2> 7.1 部署步骤<\/h3> 实例化目标LLM<\/li> 创建SmoothLLM包装器： defender =<\/span> SmoothLLM( <\/span><\/span> target_model=<\/span>llm, <\/span><\/span> pert_type=<\/span>"swap"<\/span>, # 或"insert"\/"patch"<\/span> <\/span><\/span> pert_pct=<\/span>0.1<\/span>, # 10%扰动<\/span> <\/span><\/span> num_copies=<\/span>10<\/span> # 10个副本<\/span> <\/span><\/span>) <\/span><\/span><\/code><\/pre><\/li> 通过defender调用LLM<\/li> <\/ol> 7.2 注意事项<\/h3> 计算开销：N次前向传播，建议批量处理<\/li> 字母表选择：应覆盖可能出现在对抗后缀中的字符<\/li> 扰动比例：需平衡安全性和语义保持<\/li> <\/ul> 8. 总结<\/h2> SmoothLLM通过字符级扰动和多数表决机制，有效防御LLM越狱攻击，具有：<\/p> 强理论保证<\/strong>：基于k-不稳定性提供安全边界<\/li> 实用高效<\/strong>：无需重新训练，兼容各类LLM<\/li> 可调参数<\/strong>：可根据安全需求调整扰动强度和副本数<\/li> <\/ol> 该方法为LLM安全防御提供了简单而有效的解决方案，特别适合部署在对抗环境中的生产系统。<\/p>

大模型安全：平滑方法防御越狱攻击教学文档<\/h1>

1. 引言<\/h2>

1.1 越狱攻击概述<\/h3> 越狱攻击是指攻击者通过精心构造的提示（prompt）诱使大型语言模型（LLM）生成违反其安全策略的内容。尽管主流LLM（如GPT、Llama、Claude和PaLM）已与人类价值观对齐，但仍存在被越狱的风险。<\/p>

2. 核心发现<\/h2>

3. SmoothLLM防御方法<\/h2>

4. 理论保证<\/h2>

4.1 k-不稳定性定义<\/h3> 一个后缀S是k-不稳定的，当修改其中≥k个字符时，攻击失效。<\/p>

5. 代码实现<\/h2>

6. 实验验证<\/h2>

7. 应用指南<\/h2>

1.1 越狱攻击概述<\/h3>
越狱攻击是指攻击者通过精心构造的提示（prompt）诱使大型语言模型（LLM）生成违反其安全策略的内容。尽管主流LLM（如GPT、Llama、Claude和PaLM）已与人类价值观对齐，但仍存在被越狱的风险。<\/p>

4.1 k-不稳定性定义<\/h3>
一个后缀S是k-不稳定的，当修改其中≥k个字符时，攻击失效。<\/p>