https://arxiv.org/abs/2501.12210

The increasing use of LLMs highlights safety concerns due to jailbreak attacks. Existing defenses primarily focus on security, often neglecting the impact on user experience. This paper addresses the crucial gap in understanding how jailbreak defenses affect the utility and usability of LLMs.

This paper introduces USEBench and USEIndex to evaluate the utility degradation, safety improvement, and exaggerated safety escalation in LLMs when jailbreak defenses are applied.

-----

📌 USEIndex offers a practical, quantitative method. It balances utility, safety, and usability for evaluating LLM defense mechanisms. This holistic metric is crucial for real-world deployment decisions.

📌 Stage 2 prompt modification defenses show varied utility impacts. Specifically, PAT and ICD dramatically reduce Llama2's accuracy (nearly 30%). This highlights the challenge of broad defense strategy application.

📌 SafeUnlearn fine-tuning (Stage 3) achieves the best USEIndex (0.65). This suggests targeted model-level safety adjustments offer a more balanced approach compared to prompt-level modifications.

----------

Methods Explored in this Paper 🔧:

→ This research adopts an end-to-end perspective on jailbreak defense. It categorizes defense strategies into three stages: prompt detection, prompt modification, and model fine-tuning.

→ Seven state-of-the-art defense strategies are evaluated. These include Perplexity (PPL) for prompt detection. Prompt modification strategies are SmoothLLM (S-LM), Self-Reminder (SR), In-Context Defense (ICD), and PAT. Model fine-tuning strategies are SafeUnlearn (SU) and Configurable Safety Tuning (CST).

→ USEBench, a novel benchmark, is introduced. It comprises U-Bench for utility, S-Bench for safety, and E-Bench for exaggerated safety evaluations.

→ USEIndex is proposed as a comprehensive metric. It quantifies the overall performance of LLMs considering utility, safety and usability.

-----

Key Insights 💡:

→ Jailbreak defenses generally cause performance degradation in LLMs. Utility and usability are negatively impacted after applying defenses.

→ Performance improvements in iterated or fine-tuned LLMs do not always guarantee enhanced safety. Sometimes safety is compromised for better performance.

→ Different defense stages exhibit varying degrees of effectiveness and impact. Stage 2 (prompt modification) defenses show significant utility degradation for some LLMs.

→ SafeUnlearn from stage 3 demonstrated a relatively balanced performance. It offers a better trade-off between utility, safety and usability compared to other methods.

-----

Results 📊:

→ USEIndex reveals SafeUnlearn achieves the highest score of 0.65. This indicates a better balance across utility, safety, and usability.

→ Llama2's Accuracy drops significantly by nearly 30% with PAT and ICD defenses from stage 2. This highlights utility degradation.

→ Stage 3 defenses show the highest safety elevation with a 27% average decrease in Attack Success Rate (ASR). Stage 2 follows with an 11% average ASR reduction.

→ Self-Reminder (SR) from stage 2 increases False Refusal Rate (FRR) by nearly 3 times on average across LLMs, impacting usability.