Steganographic LLM Jailbreak

Description: A steganographic jailbreak attack, termed StegoAttack, allows bypassing safety mechanisms in Large Language Models (LLMs) by embedding malicious queries within benign-appearing text. The attack hides the malicious query in the first word of each sentence of a seemingly innocuous paragraph, leveraging the LLM's autoregressive generation to process and respond to the hidden query, even when employing encryption in the response.

Examples:

See StegoAttack repository. (Note: A concrete example would require a specific malicious query and the generated steganographic text, which is not included in the provided abstract. The methodology is described but implementation details are in the repository.)

Impact: Successful exploitation leads to LLMs generating harmful outputs, violating safety policies, and potentially causing significant damage depending on the nature of the malicious query. The attack's stealthiness makes it difficult for both built-in and external safety mechanisms to detect and prevent.

Affected Systems: Various safety-aligned LLMs including GPT-3, LLaMA 4, DeepSeek-R1, and QwQ-32B are shown to be vulnerable. The technique may apply to other LLMs.

Mitigation Steps:

• Improve LLM safety mechanisms to detect steganographically hidden prompts.
• Develop more robust safety detectors capable of identifying hidden malicious content within apparently benign text.
• Implement techniques to disrupt or detect the autoregressive processing that allows the LLM to respond to the hidden query.
• Investigate and address potential vulnerabilities in the prompt engineering techniques used in the attack.