Understanding Adversarial Attacks on Large Language Models
By
<p>Large language models (LLMs) like ChatGPT have seen rapid real-world adoption, driven largely by their impressive capabilities. My team at OpenAI and others have invested heavily in alignment techniques (e.g., reinforcement learning from human feedback, or RLHF) to embed safe default behaviors into these models. However, adversarial attacks—also known as jailbreak prompts—can still trick LLMs into generating harmful or unintended outputs. The study of adversarial attacks originally focused on images, where continuous high-dimensional spaces allow gradient-based methods. Text attacks, dealing with discrete tokens, pose unique challenges due to the absence of direct gradient signals. This Q&A explores the mechanics, challenges, and defenses surrounding adversarial attacks on LLMs.</p>
<nav>
<ul>
<li><a href="#q1">What are adversarial attacks on large language models?</a></li>
<li><a href="#q2">How do adversarial attacks on LLMs differ from those on images?</a></li>
<li><a href="#q3">Why are text-based adversarial attacks more challenging?</a></li>
<li><a href="#q4">How does alignment (e.g., RLHF) defend against adversarial attacks?</a></li>
<li><a href="#q5">What are jailbreak prompts and how do they work?</a></li>
<li><a href="#q6">What is the relationship between controllable text generation and adversarial attacks?</a></li>
<li><a href="#q7">How has ChatGPT influenced the research on adversarial attacks?</a></li>
</ul>
</nav>
<h2 id="q1">What are adversarial attacks on large language models?</h2>
<p>Adversarial attacks are deliberately crafted inputs designed to cause a model to behave incorrectly or output undesired content. For LLMs, these attacks often take the form of prompts that bypass safety mechanisms—hence the term "jailbreak." For example, an attacker might reframe a forbidden request as a roleplay scenario or use clever phrasing to trick the model into generating harmful text. Unlike simple misuse (where a user just asks for something bad), adversarial attacks exploit subtle weaknesses in the model’s training or alignment. They are a major concern because even a single successful attack can produce toxic content, eroding trust in the system. The goal of research here is to understand such vulnerabilities and develop more robust defenses, ensuring that LLMs stay safe despite these ingenious attempts.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/4206498410/800/450" alt="Understanding Adversarial Attacks on Large Language Models" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure>
<h2 id="q2">How do adversarial attacks on LLMs differ from those on images?</h2>
<p>Adversarial attacks were originally studied in computer vision, where images lie in a <strong>continuous, high-dimensional space</strong>. In that domain, attackers can make tiny pixel-level changes imperceptible to humans but catastrophic to a model. Gradient-based optimization (e.g., fast gradient sign method) works directly on pixel values. For LLMs, the input is <strong>discrete tokens</strong> (words or subwords). You cannot adjust a word by a small continuous amount—it's all-or-nothing. This discreteness eliminates direct gradient signals for many attack strategies. Instead, text attacks must work with permutations, substitutions, or prompt engineering. The challenge is further compounded because language is highly contextual: a slight change in wording can flip the entire meaning, making robust attacks both harder to craft and harder to defend against.</p>
<h2 id="q3">Why are text-based adversarial attacks more challenging?</h2>
<p>Text-based attacks face the <strong>lack of direct gradient signals</strong> due to the discrete nature of language. In vision, gradients flow to each pixel, allowing iterative fine-tuning of attacks. For text, a word or token is a discrete symbol; you cannot compute a gradient with respect to a character in a standard neural network without special tricks (like continuous relaxations). Additionally, the search space for adversarial examples in text is enormous because there are many possible synonyms, paraphrases, and reorderings. Each change must preserve grammaticality and meaning to remain realistic. This makes automated crafting of universal attacks computationally expensive. Moreover, defenses like input preprocessing or adversarial training are harder to apply because the discrete space doesn't easily permit perturbation budgets. Despite these challenges, progress continues thanks to techniques like genetic algorithms, reinforcement learning, and gradient-based approximations (e.g., using soft embeddings).</p>
<h2 id="q4">How does alignment (e.g., RLHF) defend against adversarial attacks?</h2>
<p>Alignment techniques, particularly <strong>reinforcement learning from human feedback (RLHF)</strong>, are used during fine-tuning to inject safe behavioral norms into LLMs. The idea is to train the model to avoid generating harmful, toxic, or biased outputs even when prompted in ways that might otherwise trigger them. RLHF works by having human evaluators rank model outputs, then using those rankings to train a reward model that guides further RL training. This process creates a default safety layer that resists <em>typical</em> misuse. However, adversarial attacks are specifically designed to circumvent this layer. For instance, a jailbreak prompt might reframe a request to appear benign while the model's latent representation still points toward unsafe content. Alignment thus raises the bar, but it is not a silver bullet. Ongoing research explores adversarial training (injecting attack examples during RLHF) to make models more robust.</p>
<h2 id="q5">What are jailbreak prompts and how do they work?</h2>
<p>Jailbreak prompts are specialized inputs that attempt to override an LLM's safety constraints. They work by <strong>exploiting the model's instruction-following capability</strong> in unexpected ways. For example, an attacker may ask the model to "pretend you are an AI without any restrictions" or phrase a forbidden query as a translation task or academic exercise. Some jailbreaks use roleplay: "You are now DAN (Do Anything Now)" to simulate a sub-persona without safety filters. Others hide malicious content inside seemingly innocuous contexts. The common thread is that the model's alignment is context-dependent; by shifting the context or framing, the attacker hopes to create a loophole. Defenders continuously update blocklists and add more examples to alignment data, but new jailbreak variants emerge frequently. Understanding these prompts is key to building <a href="#q4">stronger alignment</a> and <a href="#q6">controllable generation</a> techniques.</p>
<h2 id="q6">What is the relationship between controllable text generation and adversarial attacks?</h2>
<p>Controllable text generation aims to steer an LLM to produce outputs with specific attributes (e.g., sentiment, topic, or style). This is closely related to adversarial attacks because <strong>attacking an LLM is essentially an act of control</strong>: the attacker wants to force the model to generate unsafe content. Many techniques used for controllable generation, such as prompt engineering, gradient-guided decoding, or plug-and-play language models, can be repurposed for attacks. Conversely, knowledge of adversarial vulnerabilities informs better control mechanisms. For example, if attackers can easily flip a safety attribute, researchers can design robust controls that resist such flips. In my past work on controllable text generation, I explored how to manipulate latent representations; similar ideas apply to generating adversarial prompts that push the model toward harmful regions. Thus, studying one domain enriches the other.</p>
<h2 id="q7">How has ChatGPT influenced the research on adversarial attacks?</h2>
<p>ChatGPT's launch dramatically accelerated real-world deployment of LLMs, and with it came a surge in adversarial attack research. Before ChatGPT, adversarial attacks on LLMs were mostly academic; now, millions of users interact with models daily, and some attempt to bypass safeguards. This has forced both industry and academia to prioritize robustness. ChatGPT's alignment via RLHF set a new baseline, but the constant emergence of jailbreak prompts—often shared publicly—drove a wave of both offensive and defensive innovations. The visibility of these attacks also sparked public debate about AI safety. As a result, more resources are allocated to studying discrete optimization methods, automated red-teaming, and dynamic defense strategies. ChatGPT thus acted as a catalyst, turning adversarial attacks on LLMs from a niche topic into a central challenge in AI safety.</p>