StructTransform: A Scalable Attack Surface for Safety-Aligned Large Language Models
摘要
Safety alignment and adversarial attack research for Large Language Models (LLMs) predominantly focuses on natural language inputs and outputs. This work introduces StructTransform, a blackbox attack against alignment where malicious prompts are encoded into diverse structure transformations. These range from standard formats (e.g., SQL, JSON) to novel syntaxes generated entirely by LLMs. By shifting harmful prompts Out-Of-Distribution (OOD) relative to typical natural language, these transformations effectively circumvent existing safety alignment mechanisms. Our extensive evaluations show that simple StructTransform attacks achieve high Attack Success Rates (ASR), nearing 90% even against state-of-the-art models like Claude 3.5 Sonnet. Combining structural and content transformations further increases ASR to over 96% without any refusals. We demonstrate the ease with which LLMs can generate novel syntaxes and their effectiveness in bypassing defenses, creating a vast attack surface. Using a new benchmark, we show that current alignment techniques and defences largely fail against these structure-based attacks. This failure strongly suggests a reliance on token-level patterns within natural language, rather than a robust, structure-aware conceptual understanding of harmful requests, exposing a critical need for generalized safety mechanisms robust to variations in input structure.