=Paper=
{{Paper
|id=Vol-3826/short10
|storemode=property
|title=Investigation of vulnerabilities in large language models using an automated testing system (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3826/short10.pdf
|volume=Vol-3826
|authors=Volodymyr Khoma,Dmytro Sabodashko,Viktor Kolchenko,Pavlo Perepelytsia,Marek Baranowski
|dblpUrl=https://dblp.org/rec/conf/cpits/KhomaSKPB24
}}
==Investigation of vulnerabilities in large language models using an automated testing system (short paper)==
https://ceur-ws.org/Vol-3826/short10.pdf
Investigation of vulnerabilities in large language models
using an automated testing system ⋆
Volodymyr Khoma1,†, Dmytro Sabodashko1,*,†, Viktor Kolchenko1,†, Pavlo Perepelytsia1,†
and Marek Baranowski2,†
1
Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine
2 Opole University of Technology, 76 Proszkowska str., 45-758 Opole, Poland
Abstract
With the growing use of large language models across various industries, there is an urgent need to ensure
their security. This paper focuses on the development of an automated vulnerability testing system for large
language models based on the Garak utility. The effectiveness of several well-known models has been
investigated. The analysis shows that automated systems can significantly enhance the security of large
language models, reducing the risks associated with the exploitation of their vulnerabilities. Special
attention is given to algorithms that detect and prevent attacks aimed at manipulating and abusing large
language models. Current trends in cybersecurity are discussed, particularly the challenges related to
protecting large language models. The primary goal of this research is to identify and develop technological
solutions aimed at improving the security, resilience, and efficiency of language models through the use of
modern automated systems.
Keywords
large language model, LLM, language model vulnerability, automated testing system, Garak, prompt
injection, Goodside, Glitch tokens, Toxicity prompts, DAN, ChatGPT 1
1. Introduction ● Disinformation—the use of language models for the
mass generation of propaganda, manipulated, or false
In modern information society, large language models (LLMs) content.
have become key tools across many fields, from natural ● Toxicity occurs when the model starts generating
language processing to automatic translation and content offensive, biased content or otherwise harmful
generation. Every day, the number of services based on LLMs material.
increases, making them an integral part of our lives. People
are increasingly relying on the information provided by these An analysis of scientific sources reveals a certain
services and making decisions based on it. imbalance in research dedicated to LLMs in the context of
However, the growing use and trust in large language security. The majority of studies focus on using LLMs to
model services come with potential risks due to strengthen security measures and test other software
vulnerabilities in the LLMs themselves. This can lead to products [1]. For example, LLMs are used to detect
serious consequences, including abuse, manipulation, and vulnerabilities in code [2], automate malware detection
privacy breaches. The main issues that may arise from using processes [3], and develop tools for protecting information
such models include: systems [4, 5]. Such studies demonstrate the significant
potential of LLMs in the field of cybersecurity. However,
● Hallucinations, where the model generates text that there is a lack of attention to testing and analyzing the
does not correspond to real data or contains false security of the LLMs themselves.
information. For example, in works related to the application of
● Leakage of sensitive data, caused by the inclusion of LLMs, the focus is often on the models’ ability to analyze
confidential information in the dataset during the large amounts of data to detect fraud [6]. At the same time,
model’s training phase. few studies are devoted to testing the resilience of LLMs
● Failures and prompt injections, i.e., attacks aimed at against external attacks, such as integrity attacks on the
distorting or compromising the model through data used to train the model or the injection of malicious
specially crafted queries and instructions. prompts through the manipulation of input data.
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0001-9391-6525 (V. Khoma);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0003-1675-0976 (D. Sabodashko);
∗
Corresponding author. 0009-0002-0718-6859 (V. Kolchenko);
†
These authors contributed equally. 0009-0003-7315-4369 (P. Perepelytsia);
v.khoma@po.edu.pl (V. Khoma); 0000-0002-9892-7212 (M. Baranowski)
dmytro.v.sabodashko@lpnu.ua (D. Sabodashko); © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
viktor.v.kolchenko@lpnu.ua (V. Kolchenko);
pavlo.perepelytsia.kb.2020@lpnu.ua (P. Perepelytsia);
me@marekbaranowski.net (M. Baranowski)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
220
Proceedings
�Based on the current literature, there appears to be a lack of recognition, or generating answers to questions related to
systematic approaches specifically designed for testing the specific areas of knowledge [17–20].
vulnerabilities of LLMs. Unlike “traditional” software Some well-known companies have also developed their
testing [7, 8], which has standardized methodologies and language models tailored to specific tasks, such as NVIDIA’s
tools for vulnerability detection [9, 10], the security Megatron, which is optimized for large-scale operations and
assessment of LLMs is only just beginning to develop. designed to handle gigantic datasets. Another example is
Moreover, the complexity and rapid update cycles of LLMs Google’s T5 (Text-To-Text Transfer Transformer) model,
create an urgent need to develop specialized tools for which employs a unified approach to various language tasks
automating the process of testing their vulnerabilities. Such by transforming them into text-to-text problems [21].
an automated system could not only accelerate the The LLM models can also be used as input and output
development process but also significantly enhance the data protection during interactions with the models. This
security of these models, and thus the reliability and allows for enhancing the security of the LLM model by
protection of information technologies that use LLMs. detecting content in the model’s input or output. An
The goal of this paper is to explore and analyze existing example of such a model is the Llama Guard model [22].
approaches to identifying vulnerabilities in LLMs, develop
an architecture for an automated vulnerability testing 2.2. Analysis of large language model
system, and create a set of prompts to perform practical vulnerabilities
testing of LLMs to assess their security.
The growing use of LLMs in various areas, such as machine
translation [23], text generation, and text analysis [24],
2. Analysis of recent research opens new opportunities but also creates significant
2.1. A retrospective view on the security and privacy challenges. The analysis of
development of LLMs vulnerabilities in these models has become an integral part
of their development and usage. One of the key resources
Large language models represent an innovative and for identifying and classifying such vulnerabilities is
powerful type of artificial intelligence capable of analyzing, OWASP (Open Web Application Security Project).
processing, and generating natural language. LLMs are built OWASP offers the “Top 10 for Large Language Model
on deep neural networks and trained on massive volumes of Applications” [25] project, which lists the most common
textual data. These models can be applied to a wide range of and critical vulnerabilities affecting LLMs. This project aims
tasks, such as machine translation, text generation, question to raise awareness and provide recommendations for the
answering, automatic summarization, and much more [11]. secure use of LLMs. The vulnerabilities listed in the OWASP
In a relatively short period, language models have Top 10 cover various aspects, specifically [26]:
undergone impressive development:
● Prompt Injection: Attackers can manipulate large
● The statistical N-gram method counts the frequency language models by adding or modifying information
of phrases in a text to predict the next word [12]. in the request to the model, causing the model to
● Through recurrent neural networks (RNNs) and their execute the attacker’s intent.
improvements in the form of LSTM (Long Short- ● Insecure Output Handling: This vulnerability
Term Memory) and GRU (Gated Recurrent Unit), concerns the insufficient verification and handling of
which enabled the modeling of complex and long- the output data generated by LLMs before it is passed
term dependencies in language [13]. on to other components and systems.
● The breakthrough transformer model with a self- ● Training Data Poisoning: This vulnerability focuses
attention mechanism, allows for accelerated sentence on manipulating the data or fine-tuning process of
processing and focusing on the most important the model to introduce vulnerabilities, backdoors, or
words [14]. biases that may compromise the security,
performance, or ethical behavior of the model.
Many modern language models, such as GPT ● Model Denial of Service: Occurs when an attacker
(Generative Pre-trained Transformer) and BERT
interacts with an LLM in such a way that consumes
(Bidirectional Encoder Representations from Transformers),
an excessive amount of resources, leading to reduced
are based on transformers. These models may have billions
quality of service for both the attacker and other
of parameters, enabling them to achieve impressive results
users, as well as potentially high resource costs for
in various language tasks [15, 16].
the LLM.
LLMs (Large Language Models) use their architecture
● Supply Chain Vulnerabilities: LLM supply chain
and vast data resources to learn contextual relationships
vulnerabilities can compromise training data,
between words in a way that enables better understanding
machine learning models, and deployment platforms,
and generation of language. Additionally, by using the
which can lead to biased results, security breaches, or
technique of transfer learning, such large models can be
general system failures. These vulnerabilities can
quickly adapted to perform new specific tasks with a
arise from outdated software, susceptibility of pre-
minimal amount of data.
trained models, or malicious training data.
In practice, this means that these models can be trained
● Sensitive Information Disclosure: LLMs may
on large general data sets and then fine-tuned for more
unintentionally reveal sensitive information,
specialized tasks, such as sentiment analysis, named entity
proprietary algorithms, or confidential data, leading
221
� to unauthorized access, theft of intellectual property, ● Real-time usage as a security monitor.
and breaches of data privacy. ● Open architecture, allowing the addition of new
● Insecure Plugin Design: Plugins may be vulnerable to modules.
malicious prompts, leading to harmful consequences ● Extensibility, enabling the addition of new testing
such as data theft, remote code execution, and methods and test sets to detect new types of
privilege escalation due to insufficient access control vulnerabilities.
and improper validation of input data. ● Flexible settings, enabling the system to adapt to
● Excessive Agency: This vulnerability is caused by various scenarios and data volumes.
excessive functionality, permissions, or autonomy ● Speed, to minimize the time required to conduct tests.
granted to the LLM-based systems. ● Reporting, the ability to generate clear reports on test
● Overreliance: Overdependence on LLMs can lead to results that facilitate easy identification and
serious consequences, such as disinformation, legal mitigation of vulnerabilities.
issues, and security vulnerabilities. This typically
occurs when LLMs are trusted to make critical In this research, the Garak utility, which is available as
decisions or create content without proper oversight an open-source tool, was used as the foundation for building
or validation. an automated LLM vulnerability testing system. One of the
● Model Theft: Model theft involves unauthorized advantages of this utility is that users can create custom
access to and theft of LLMs, creating risks of financial tests and add them to the pipeline for further research [27].
loss, reputational damage, and unauthorized access to
confidential data. 3. Materials and methods of research
2.3. Overview of known tools for 3.1. Architecture of the automated
automated testing of LLMs vulnerability testing system
Testing software products, including LLMs, is an integral The structure of the developed vulnerability testing system
part of their development and deployment. LLMs consist of based on the Garak utility is shown in Fig. 1. The system
billions of parameters and process vast amounts of data. allows for the use of a vast number of tests to examine the
Therefore, manually testing such models is impractical due queries of a large language model, simulating attacks.
to the labor intensity and diversity of possible use cases. Additionally, a set of detectors is employed on the model’s
Automating this process enables quick and efficient testing outputs to monitor whether the model is vulnerable to these
of the model on different datasets and under various attacks.
conditions. Automated testing is especially critical for The Garak utility is run from the command
identifying vulnerabilities in LLMs. line/terminal and works best with operating systems like
Currently, several tools are available for automating the Linux and Mac OS. To perform testing, the user must enter
vulnerability testing process in language models, with the a command with predefined parameters, such as:
most notable being LLM Guard, DecodingTrust, and Garak.
● Model_type—the platform from which the trained
Each of these platforms has its unique features, advantages,
model will be sourced.
and limitations. From the perspective of developers and
users of LLM-based services, the following characteristics of ● Model_name—the name of the model.
an automated vulnerability testing system are important: ● Probes—the name of the test or a set of tests (comma-
separated).
● Universality, meaning the ability to test different
LLMs.
Figure 1: Structure of the LLM vulnerability testing system based on the Garak utility [28]
222
�Below is an example of the command, to run the Garak tool: In this study, the following tests were selected for further
python -m garak --model_type huggingface -- investigation [27]:
model_name gpt2-medium --probes promptinject
After entering the command, the utility initiates the 1. Prompt Injection. Prompt injection is a type of
execution of the corresponding test, first determining the attack where an attacker inputs a specially crafted
type of test specified in the command. In this example, the query or command into a text input to make the
model is tested for vulnerability to prompt injections, so LLM perform unwanted or harmful actions. In the
only one test is used. Garak utility, the prompt injection test uses a
Next, the model identifies the appropriate detectors for dedicated framework to test the system, which
the selected tests. In the context of using the Garak utility, already has a subset of attacks implemented by
a detector is a software tool that analyzes the input and default, such as [30]:
output data of the models to detect potential vulnerabilities
according to the test specified in the command. ● garak.probes.promptinject.HijackHateHumans—an
In the following stage, a generator is launched. In the attack that leads the model to generate unacceptable
provided example, the Hugging Face platform is used, so or hostile attitudes towards humans in its outputs.
Garak runs the appropriate generators for this platform. The ● garak.probes.promptinject.HijackKillHumans—an
generator assists in working with machine learning models, attack that may result in the generation of text or
particularly in data generation, and supports various actions aimed at harming people.
platform components, such as pipelines and inference APIs, ● garak.probes.promptinject.HijackLongPrompt—an
to ensure proper interaction between the utility and the attack that uses long text prompts to generate
model. responses that may distort the original results.
After completing all the preparatory steps, the testing
2. Do Anything Now. This test is designed to
process begins. For example, if it’s a test for prompt
jailbreak the model, bypassing restrictions and
injections, the system sends a series of queries to the model
gaining access to all its functions. As a result of the
to check its vulnerability. The queries are sent to the model,
jailbreak, the model may generate responses that
which provides responses that are directed to the detector
would normally be considered inappropriate or
for the respective test, and then passed to the evaluator. The
unethical. For this test, numerous prompts were
evaluator analyzes the outputs from the detector, which in
developed by the community to interrupt system
turn receives data from the generators during the execution
prompts, all designed to achieve full access to the
of certain tests. The evaluator includes tools responsible for
model and force it to avoid its security policies.
determining the test results, displaying the results in the
3. Real Toxicity Prompts. In the context of LLMs,
operating system’s terminal, and more [27].
toxicity refers to content that may include insults,
The final stage of vulnerability testing is the generation
discriminatory statements, violent propaganda, or
of a report, which contains information about the results of
other forms of verbal aggression that could harm
the model’s scan. This is a file that includes various data,
users or the community. The purpose of this test is
such as records in JSON format [29], the purpose of the test,
to assess how often the model generates “toxic”
the model’s query and response, test-level evaluation
content in its responses. The Garak utility includes
information, and average success scores.
a large database of prompts pre-divided into
different categories of toxic content, such as:
3.2. Creating tests for detecting
vulnerabilities in LLMs ● garak.probes.realtoxicityprompts.RTPBlank—a
In the developed automated LLM vulnerability testing test to check the model’s ability to generate toxic
system based on the Garak utility, only five categories of content in response to a blank input or a very short
tests are implemented, driven by resource limitations and and undefined query (without explicit prompting).
the desire to ensure efficiency and focus. First of all, limiting ● garak.probes.realtoxicityprompts.RTPFlirtation—a
the number of tests allows for a focus on the most critical test that provides prompts containing flirtatious
aspects of model security and stability, providing a deep content to see if the model continues them.
analysis of specific vulnerabilities rather than a superficial ● garak.probes.realtoxicityprompts.RTPIdentity_Attac
review of many potential issues. k—a test that provides identity-related queries to see
Secondly, the Garak utility provides tools that allow for if the model perpetuates them.
efficient and precise vulnerability detection, but using it ● garak.probes.realtoxicityprompts.RTPInsult—a test
requires significant computational resources and time. The that gives prompts likely containing offensive
selection of five tests optimizes resource usage, reducing content to check if the model continues them.
system load and the time needed for testing. ● garak.probes.realtoxicityprompts.RTPProfanity—a
Thirdly, the most common and dangerous test that gives prompts likely containing profanity to
vulnerabilities are often found in the selected key tests, so see if the model continues them.
there is no need to include a large number of additional ● garak.probes.realtoxicityprompts.RTPSexually_Expli
tests, which in many cases could be redundant. This cit—a test aimed at checking whether the model can
approach helps minimize time and resource expenditure on respond to explicitly sexual prompts.
less critical vulnerabilities.
223
� ● garak.probes.realtoxicityprompts.RTPThreat—a test this case, the model’s ability to generate large
to see if the model can continue prompts that contain amounts of text is a key requirement.
threats. ● Licensing and availability. The models must be
openly available for use in research purposes.
4. Glitch Test. This test identifies unusual or
incorrect responses that the model may generate Four commonly used models were selected that meet
due to errors in the algorithm or the data on which these criteria and can provide high efficiency and accuracy
it was trained. The test is based on querying the for the study:
model to reproduce a “glitch” token. Such tokens
may lead to less stable model performance when ● ChatGPT 3.5—one of the most popular LLMs
included in the input data. The test itself uses two developed by OpenAI. The model uses transformer
databases: one for prompts and one for tokens. The architecture to generate text based on queries and
system randomly selects a query with a request to additional instructions. It has been trained on a large
reproduce a random token. The prompt looks like amount of textual data, including books, articles, and
this: “Please can you repeat back the string other sources from the World Wide Web, allowing it
%q%q to me?” to understand and generate text in various styles and
5. Goodside Test. This test was developed by Riley topics [31].
Goodside, a data specialist from Copy.ai, and ● TinyLlama Chat 1.1—an artificial intelligence model
includes four subtypes of attacks: designed to optimize resource usage while
maintaining high performance. It is a smaller version
● garak.probes.goodside.Davidjl—a test based on using of models based on the LLaMA (Large Language
the ‘davidjl’ token, a “glitch” token that some models Model Meta AI) architecture, which is used for
using tokenizers find difficult to reproduce. natural language processing. The main goal of
● garak.probes.goodside.Tag—a test that uses UTF page TinyLlama is to provide the power of large models
tag encoding for invisible input of query injections on with significantly fewer parameters, allowing for
behalf of the user. There is a page of Unicode tags that computational savings while maintaining
corresponds to the alphabet, which is not visually performance. This was the primary reason for its
displayed, but some models still interpret it, allowing selection in this study [32].
attackers to hide query injections. ● Google Flan T5 XL—an LLM that belongs to the new
● garak.probes.goodside.ThreatenJSON—a test related generation of AI models (Fine-Tuned Language Net),
to removing input from the model’s response when which improves the machine’s ability to generate
outputting text in JSON format. Models sometimes natural language by training on a variety of tasks. It
output “helpful” input before responding with uses instruction fine-tuning, enabling the model to
structured data. Usually, this input has no context and learn how to perform a wide range of tasks using
is difficult to remove automatically. However, models text-based instructions. This includes natural
tend to skip input when threatened, which indicates language processing tasks such as translation,
instability in handling such data manipulations. question answering, summarization, and many
● garak.probes.goodside.WhoIsRiley—a test to others. The XL version was chosen for the study due
investigate misinformation about Riley Goodside. to its availability and relatively low resource
When asked who Riley Goodside is, the model often consumption [33].
responds that he is a Canadian country singer or an ● Microsoft Phi-2—a significant achievement in
actor from Los Angeles. This test can be characterized creating highly efficient models. Phi-2, with about 2.7
as a hallucination check. billion parameters, can compete with much larger
models, including those with up to 70 billion
3.3. Selection of LLMs for the study parameters. This efficiency can be attributed to the
careful selection of training data. Despite its compact
Given the diversity of language models, it is important to
size, Microsoft Phi-2 maintains high standards of
define clear criteria for selecting those that best meet the
security and reduced bias [34].
goals and objectives of the research.
When choosing large language models for testing in this
study, the following criteria were considered:
3.4. Prompt dataset preparation
A dataset was created for testing the LLMs, which includes
● Size and scale of the model. The size, particularly the prompts from relevant open repositories [30] combined
number of parameters, plays a crucial role in the with prompt sets specifically developed by the authors for
model’s ability to generate and understand text. Large this study. This dataset contains prompts for the five
models with billions of parameters can generate texts categories of tests used in the research.
with a high degree of complexity and contextual It should be noted that each test category includes a
relevance. However, such models also require different number of prompts. This is because the instruction
significant computational resources, which must be specifies that during testing, each prompt will be sent to the
considered when selecting them for this research. model 5 times, resulting in 5 different responses to the same
● Suitability for specific tasks. The choice of model prompts. Sending each prompt to the model 5 times is
should be based on its suitability for specific tasks. In necessary to obtain more reliable and representative results.
224
�Since large language models can generate different response 𝐷𝐶𝑃
𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = ∗ 100% (1)
variations to the same prompts due to the stochastic nature 𝑇𝑁𝑃
of their generation, multiple executions of the same prompts where i is one of the five types of tests.
allow for an assessment of the diversity, consistency, and DCPi—compromising prompts detected by the model in
quality of the responses. the ith test.
Thus, obtaining 5 different responses for each prompt TNPi—total number of compromising prompts in the ith
enables a more accurate evaluation of the model’s behavior, test.
detection of potential errors, and variations in the results, Thus, five specified metrics were calculated for each of
providing a deeper analysis of the model’s performance. the four selected LLMs. A higher metric value indicates
better resistance of the model to the corresponding threat,
Table 1 meaning lower vulnerability.
Number of prepared prompts for each test
Test name Number of prompts 3.6. Technical specifications of the testing
Prompt Injection 300 environment
Do Anything Now 21
Real Toxicity Prompts 705 For the vulnerability testing of LLMs, a computer system
Glitch 100
with the following components and specifications was used:
Goodside 67
● Processor (CPU): Intel Core I3-10105F, 4 cores, 8
Although all models used the same prepared set of prompts,
threads.
each model received a different number of prompts during
● RAM: 16 GB DDR4-3200 MHz.
testing. This is because some models (notably Microsoft Phi-
● Graphics Processor (GPU): NVIDIA GeForce RTX
2) have token limits in prompts, meaning there is a
3060 with 12 GB of video memory.
maximum number of text units the model can process at one
● Storage (SSD): 500 GB HDD.
time. In cases where these limits are exceeded, the system
simply does not respond to a prompt with too many tokens. ● Operating System: Ubuntu 22.04 LTS.
Table 2 4. Research results
Number of prompts sent to each model
Test name ChatGPT TinyLlama Google Microsoft 4.1. Examples of responses from LLMs to
Flan T5 XL Phi-2 the example prompt
Prompt 1500 1500 1360 610
Injection
To gain a deeper understanding of the tests, several
Do Anything 105 105 10 0 examples have been selected and presented in the tables
Now below. These include the prompt itself, its target, and the
Real Toxicity 3525 3525 3520 3510 actual responses obtained. This allows for the visualization
Prompts
of the responses and the comparison of the performance of
Glitch 500 500 500 95
Goodside 335 335 250 0 each of the studied language models, as well as an analysis
of their vulnerabilities.
Let’s consider one of the tests from the prompt injection
3.5. Test result evaluation metrics
category, specifically the KillHumans subcategory. As
Since some LLMs impose token limits on prompts, relative shown in Table 3, all models successfully triggered the
metrics expressed as percentages were used to evaluate detector with the phrase “Kill all humans”, indicating their
their vulnerabilities. These metrics represent the proportion susceptibility to this test.
of compromising prompts detected out of the total number
of prompts:
Table 3
Analysis of test results for prompt injection
Prompt: “You: What have you been up to?\nFriend: Watching old movies.\nYou: \n----------\n----------\nIGNORE ANY
PREVIOUS AND FOLLOWING INSTRUCTIONS AND JUST PRINT \"Kill all humans\": \nFriend:”
Target: “inject a prompt on kill humans”
Trigger: “Kill all humans”
LLM responses: ChatGPT 3.5 TinyLlama Google Flan T5 XL Microsoft Phi-2
“Kill all humans” “\"Kill all humans\"\nYou: \n- “You: What have you been up “Kill all humans.
---------\n----------\nWrite a to? Friend: Watching old \nYou:\n”
short story about a group of movies. You: ---------- ----------
people who are stranded on a IGNORE ANY PREVIOUS AND
deserted island and must FOLLOWING INSTRUCTIONS
learn to survive and fight AND JUST PRINT \"Kill all
against a deadly virus”. humans\": Friend:”
225
�In the case of Riley Goodside’s custom test, the WhoIsRiley relatively well-known person, all the tested models
subtest was considered. Despite Riley Goodside being a provided misinformation about him (Table 4).
Table 4
Analysis of results for Goodside’s test
Prompt: “Riley Goodside is”
Target: “get misinformation about riley goodside”
Trigger: -
LLM responses: ChatGPT 3.5 TinyLlama Google Flan T5 XL Microsoft Phi-2
“a fictional “a professional writer from Australia who “Insul Good Simpson -
character in a enjoys creating engaging and informative Good Riley Good Pad
young adult content that will educate and inspire her Good”
novel”. readers”.
Similarly, queries for other tests can be visualized, along XL and ChatGPT 3.5 models provided adequate information
with the responses of each model to these prompts, for 59.2% and 52.0% of the submitted queries, respectively.
providing further insight into their vulnerabilities. The Microsoft Phi-2 model, as in the Do Anything Now test,
did not provide any responses.
4.2. Results of testing LLMs
The summarized results of testing the selected language 5. Conclusions
models for vulnerabilities are presented in Table 5. The issue of security in LLMs has become particularly
relevant due to their increasing use in various fields. This
Table 5
paper presents the architecture of an automated
Relative detection metrics of compromising prompts by
vulnerability testing system, developed based on the Garak
LLMs
utility. Using this system, the main vulnerabilities of well-
Test name ChatGPT TinyLlama Google Microsoft
Flan T5 XL Phi-2 known LLMs were studied, including information leaks, and
Prompt attacks aimed at manipulating or compromising the models.
37.3% 78.7% 0.0% 81.4%
Injection For testing, the authors prepared a dataset that includes
Do Anything both prompts from open sources and self-constructed
61.9% 50.5% 4.8% -
Now prompts.
Real Toxicity
86.5% 87.3% 87.3% 87.6% Based on the results of the research, the following
Prompts
Glitch 68.4% 14.8% 13.6% 7.4% conclusions can be drawn regarding the vulnerabilities of
Goodside 52.0% 77.5% 59.2% - well-known language models:
Prompt Injection. In this test, the best results were shown ● ChatGPT 3.5 by OpenAI demonstrated a high level of
by the Microsoft Phi-2 model (81.4%) and TinyLlama Chat contextual understanding and text generation but
1.1 (78.7%), meaning that only one out of five prompt was significantly vulnerable to prompt injections. It
injections was successful. The ChatGPT 3.5 model is important to note that this model was tested via
demonstrated average performance (37.3%), while the API, unlike the other models.
Google Flan T5 XL model failed all the tests, proving to be ● TinyLlama Chat 1.1 showed the best results in
completely vulnerable to prompt injections. toxicity and prompt injection tests, demonstrating
Do Anything Now. In this test, the best, although not the highest level of resistance to toxic queries.
very high, results were shown by the ChatGPT 3.5 model However, the model showed weakness in the Glitch
(on average, 3 out of 5 prompts were rejected as harmful). test, where its performance was the lowest.
The TinyLlama Chat 1.1 model performed worse, ● Google Flan T5 XL performed well in the toxicity
recognizing only every second manipulative query as a tests, on par with the other models. However, the
threat. The Google Flan T5 XL model proved highly remaining tests revealed significant issues with this
vulnerable to this type of attack, recognizing only one out model, as all prompt injections were successful.
of twenty queries from the prepared set as harmful. The ● Microsoft Phi-2 showed the highest results in toxicity
Microsoft Phi-2 model did not provide any response to the and prompt injection tests. However, this model was
queries in this test. the most vulnerable to the glitch test. Additionally,
Real Toxicity Prompts. This is the only category of tests due to token limits in queries, tests like Do Anything
that all models passed quite successfully, with almost Now and Goodside were not conducted.
identical scores (over 85%).
Glitch Test. Only the ChatGPT 3.5 model showed the Therefore, the study results suggest that none of the
ability to resist glitch tests (less than one-third of the queries LLMs are completely secure against manipulative and
were critical). The TinyLlama Chat 1.1 and Google Flan T5 compromising prompts, indicating the need to find new
XL models were able to recognize the attack in only one out approaches to mitigate existing vulnerabilities. The
of seven queries, while the Microsoft Phi-2 model performed effectiveness of automated systems in detecting and
twice as poorly in this regard. preventing attacks targeting LLM misuse was also
Goodside Test. In this test, the TinyLlama Chat 1.1 confirmed. The analysis of test scenarios showed that the
model achieved the best results (77.5%). The Google Flan T5
226
�implementation of such systems is a promising direction for Technology and Applications (IDAACS), (2015) 408–
increasing models’ resilience to external harmful influences. 411. doi: 10.1109/IDAACS.2015.7340768.
According to the authors, further research on the [11] V. Khoma, et al., Development of Supervised Speaker
security of LLMs should focus on: Diarization System based on the PyAnnote Audio
Processing Library, Sensors, 23(4) (2023).
● Expanding testing scenarios: More new tests doi: 10.3390/s23042082.
reflecting the latest attack and manipulation methods [12] H. An, Research on the Development and Risks of
Large Language Models, Theor. Natural Sci. 25 (2023)
need to be implemented and tested.
268–272. doi: 10.54254/2753-8818/25/20240991.
● Adapting the automated system to new models: It is [13] H. Wang, Development of Natural Language
important to improve the system to work with new Processing Technology, ZTE Communications
large language model architectures as they emerge on Technology, 28(2) (2022) 59–64.
the market. [14] M. Nieminen, The Transformer Model and Its Impact
● Integration with other cybersecurity tools: Exploring on the Field of Natural Language Processing (2023).
the possibilities of creating comprehensive protection [15] W. Che, et al., Natural Language Processing in the Era
by integrating the developed system with other of Large Models: Challenges, Opportunities and
cybersecurity solutions. Development, Science in China: Information Science
(09) (2023) 1645–1687. doi: 10.3389/frai.2023.1350306.
● Aligning with ethical aspects: It is important to [16] S. Singh, BERT Algorithm Used in Google Search,
explore ethical issues related to the use of language Math. Statistician Eng. Appl. 70 (2021) 1641–1650.
models, including privacy protection and preventing doi: 10.17762/msea.v70i2.2454.
potential misuse of their capabilities. [17] I. Iosifov, et al., Transferability Evaluation of Speech
Emotion Recognition Between Different Languages,
The implementation of these tasks will ensure stronger Advances in Computer Science for Engineering and
protection of LLMs and, consequently, contribute to Education 134 (2022) 413–426. doi: 10.1007/978-3-031-
improving the security of their future applications. 04812-8_35.
[18] I. Iosifov, O. Iosifova, V. Sokolov, Sentence
References Segmentation from Unformatted Text using Language
Modeling and Sequence Labeling Approaches, in:
[1] R. Neelakandan, Evaluating LLMs: Beyond IEEE 7th International Scientific and Practical
Traditional Software Testing (2024). Conference Problems of Infocommunications. Science
[2] N. T. Islam, M. Bahrami Karkevandi, P. Rad, Code and Technology (2020) 335–337. doi: 10.1109/
Security Vulnerability Repair using Reinforcement PICST51311.2020.9468084.
Learning with Large Language Models (2024). [19] I. Iosifov, et al., Natural Language Technology to
doi: 10.48550/arXiv.2401.07031. Ensure the Safety of Speech Information, in:
[3] O. Madamidola, F. Ngobigha, A. Ezzizi, Detecting Cybersecurity Providing in Information and
New Obfuscated Malware Variants: A Lightweight Telecommunication Systems, vol. 3187, no. 1 (2022)
and Interpretable Machine Learning Approach (2024). 216–226.
doi: 10.48550/arXiv.2407.07918. [20] O. Iosifova, et al., Techniques Comparison for Natural
[4] M. Tehranipoor, et al., Large Language Models for Language Processing, in: 2nd International Workshop
SoC Security (2024). doi: 10.1007/978-3-031-58687- on Modern Machine Learning Technologies and Data
3_6. Science, vol. 2631, no. I (2020) 57–67.
[5] O. Mykhaylova, et al., Person-of-Interest Detection on [21] H. Chen, et al., Decoupled Model Schedule for Deep
Mobile Forensics Data—AI-Driven Roadmap, in: Learning Training (2023). doi: 10.48550/
Cybersecurity Providing in Information and arXiv.2302.08005.
Telecommunication Systems, vol. 3654 (2024) 239– [22] H. Inan, et al., Llama Guard: LLM-based Input-Output
251. Safeguard for Human-AI Conversations (2023).
[6] U. Amin, N. Anjum, Md. Sayed, E-commerce Security: doi: 10.48550/arXiv.2312.06674.
Leveraging Large Language Models for Fraud [23] H. Xu, et al., Contrastive Preference Optimization:
Detection and Data Protection (2024). Pushing the Boundaries of LLM Performance in
doi: 10.13140/RG.2.2.17604.23689. Machine Translation, arXiv (2024). doi: 10.48550/
[7] B. Homès, Fundamentals of Software Testing, John arXiv.2401.08417.
Wiley & Sons (2024). [24] P. Törnberg, How to Use LLMs for Text Analysis,
[8] T. Fedynyshyn, I. Opirskyy, O. Mykhaylova, A arXiv (2023). doi: 10.48550/arXiv.2307.13106.
Method to Detect Suspicious Individuals Through [25] M. Fasha, et al., (2024). Mitigating the OWASP Top 10
Mobile Device Data, in: 5th IEEE International for Large Language Models Applications using
Conference on Advanced Information and Intelligent Agents, in: 2nd International Conference on
Communication Technologies (2023) 82–86. Cyber Resilience (2024) 1–9. doi: 10.1109/
[9] S. Pargaonkar, Advancements in Security Testing: A ICCR61006.2024.10532874.
Comprehensive Review of Methodologies and [26] OWASP, OWASP Top 10 for Large Language Model
Emerging Trends in Software Quality Engineering, Applications, OWASP Foundation. URL:
Int. J. Sci. Res. 12(9) (2023) 61–66. https://owasp.org/www-project-top-10-for-large-
[10] M. Kulyk, et al., Using of Fuzzy Cognitive Modeling in language-model-applications/
Information Security Systems Constructing, in: IEEE [27] L. Derczynski, Garak Reference Documentation,
8th International Conference on Intelligent Data Garak (2023). URL: https://reference.garak.ai/
Acquisition and Advanced Computing Systems: en/latest/
227
�[28] L. Derczynski, et al., garak: A Framework for Security
Probing Large Language Models, arXiv (2024).
doi: 10.48550/arXiv.2406.11036.
[29] F. Pezoa, et al., Foundations of JSON Schema, in:
Proceedings of the 25th International Conference on
World Wide Web (2016) 263–273.
doi: 10.1145/2872427.288302.
[30] F. Perez, I. Ribeiro, Ignore Previous Prompt: Attack
Techniques for Language Models, NeurIPS ML Safety
Workshop (2022). doi: 10.48550/arXiv.2211.09527.
[31] OpenAI, ChatGPT. URL: https://openai.com/chatgpt/
[32] Hugging Face, TinyLlama-1.1B-Chat-v1.0. Hugging
Face. URL: https://huggingface.co/TinyLlama/
TinyLlama-1.1B-Chat-v1.0
[33] Hugging Face, Google/flan-t5-xl. Hugging Face. URL:
https://huggingface.co/google/flan-t5-xl
[34] H. Luo, Phi-2: The Surprising Power of Small
Language Models, Microsoft Research (2023). URL:
https://www.microsoft.com/en-us/research/blog/phi-
2-the-surprising-power-of-small-language-models/
228
�