Large language model (LLM) safety is a critical issue, with numerous studies employing red team testing to enhance model security. Among these, jailbreak methods explore potential vulnerabilities by crafting malicious prompts that induce model outputs contrary to safety alignments. Existing black-box jailbreak methods often rely on model feedback, repeatedly submitting queries with detectable malicious instructions during the attack search process. Although these approaches are effective, the attacks may be intercepted by content moderators during the search process. We propose an improved transfer attack method that guides malicious prompt construction by locally training a mirror model of the target black-box model through benign data distillation. This method offers enhanced stealth, as it does not involve submitting identifiable malicious instructions to the target model during the search phase. Our approach achieved a maximum attack success rate of 92%, or a balanced value of 80% with an average of 1.5 detectable jailbreak queries per sample against GPT-3.5 Turbo on a subset of AdvBench. These results underscore the need for more robust defense mechanisms.

本研究解决了大型语言模型安全性研究中越狱攻击方法的不足。我们提出了一种改进的迁移攻击方法，通过良性数据蒸馏局部训练目标黑箱模型的镜像，实现恶意提示构建，从而提高了隐蔽性。研究发现，该方法在针对GPT-3.5 Turbo的攻击成功率最高可达92%，强调了需要更强大的防御机制。

通过良性数据镜像的隐蔽性越狱攻击大型语言模型