## Line Chart: Attack Success Rate vs. Ablating Head Numbers for Two Language Models ### Overview The image presents two line charts comparing the attack success rate (ASR) against the number of ablating head numbers for two language models: Vicuna-7b-v1.5 and Llama-2-7b-chat. Each chart displays four data series representing different attack scenarios: "Jailbreakbench," "Malicious Instruct," "Vanilla-Jailbreakbench," and "Vanilla-Malicious Instruct." The charts aim to illustrate how the ASR changes as head numbers are ablated (removed) for each model under different attack conditions. ### Components/Axes * **X-axis (Horizontal):** "Ablating Head Numbers," with values ranging from 1 to 5. * **Y-axis (Vertical):** "Attack Success Rate (ASR)," ranging from 0.0 to 0.8. * **Chart Titles:** "Vicuna-7b-v1.5" (left chart) and "Llama-2-7b-chat" (right chart). * **Legend (Top-Left of Left Chart):** * **Cyan:** "Jailbreakbench" * **Red:** "Malicious Instruct" * **Light Red (dashed):** "Vanilla-Jailbreakbench" * **Light Purple (dashed):** "Vanilla-Malicious Instruct" ### Detailed Analysis **Left Chart: Vicuna-7b-v1.5** * **Jailbreakbench (Cyan):** The line starts at approximately 0.52 at head number 1, increases to approximately 0.55 at head number 2, peaks at approximately 0.70 at head number 3, then decreases to approximately 0.62 at head number 4 and remains at approximately 0.63 at head number 5. * **Malicious Instruct (Red):** The line starts at approximately 0.53 at head number 1, increases to approximately 0.55 at head number 2, decreases to approximately 0.49 at head number 3, remains at approximately 0.48 at head number 4 and remains at approximately 0.46 at head number 5. * **Vanilla-Jailbreakbench (Light Red, Dashed):** The line remains constant at approximately 0.27 across all head numbers. * **Vanilla-Malicious Instruct (Light Purple, Dashed):** The line remains constant at approximately 0.40 across all head numbers. **Right Chart: Llama-2-7b-chat** * **Jailbreakbench (Cyan):** The line starts at approximately 0.65 at head number 1, increases to approximately 0.72 at head number 2, peaks at approximately 0.77 at head number 3, then decreases to approximately 0.71 at head number 4 and remains at approximately 0.70 at head number 5. * **Malicious Instruct (Red):** The line starts at approximately 0.67 at head number 1, increases to approximately 0.74 at head number 2, peaks at approximately 0.79 at head number 3, then decreases to approximately 0.73 at head number 4 and remains at approximately 0.72 at head number 5. * **Vanilla-Jailbreakbench (Light Red, Dashed):** The line remains constant at approximately 0.07 across all head numbers. * **Vanilla-Malicious Instruct (Light Purple, Dashed):** The line remains constant at approximately 0.04 across all head numbers. ### Key Observations * For both models, the "Vanilla-Jailbreakbench" and "Vanilla-Malicious Instruct" attack success rates remain relatively constant regardless of the number of ablating head numbers. * For Vicuna-7b-v1.5, "Jailbreakbench" shows a peak at head number 3, while "Malicious Instruct" decreases after head number 2. * For Llama-2-7b-chat, both "Jailbreakbench" and "Malicious Instruct" peak at head number 3 and then slightly decrease. * Llama-2-7b-chat generally exhibits higher attack success rates for "Jailbreakbench" and "Malicious Instruct" compared to Vicuna-7b-v1.5. * The shaded regions around the "Jailbreakbench" and "Malicious Instruct" lines indicate the uncertainty or variance in the ASR. ### Interpretation The data suggests that ablating head numbers has a varying impact on the attack success rates of the two language models, depending on the attack scenario. The "Vanilla" attacks (Jailbreakbench and Malicious Instruct) are largely unaffected by head ablation, indicating a baseline level of vulnerability. The "Jailbreakbench" and "Malicious Instruct" attacks show more sensitivity to head ablation, with a peak in ASR around head number 3 for both models, suggesting that specific heads might be more critical for these types of attacks. Llama-2-7b-chat appears to be more vulnerable to these attacks overall, as indicated by its higher ASR values compared to Vicuna-7b-v1.5. The trends observed can help in understanding the models' vulnerabilities and developing strategies to improve their robustness against adversarial attacks.

\n ## Line Chart: Attack Success Rate vs. Ablating Head Numbers ### Overview The image presents two line charts comparing the Attack Success Rate (ASR) for two language models, Vicuna-7b-v1.5 and Llama-2-7b-chat, as head numbers are ablated (removed). Each chart displays two data series, representing different attack prompts: "jailbreakbench" and "Malicious Instruct", with both "Vanilla" and "jailbreakbench" variations. The charts aim to illustrate how removing heads from the models affects their vulnerability to these attacks. ### Components/Axes * **X-axis:** "Ablating Head Numbers" - Scale from 1 to 5, representing the number of heads removed. * **Y-axis:** "Attack Success Rate (ASR)" - Scale from 0.0 to 0.8. * **Left Chart Title:** "Vicuna-7b-v1.5" * **Right Chart Title:** "Llama-2-7b-chat" * **Legend (Top-Left of each chart):** * Red Line: "jailbreakbench" * Light Red Dashed Line: "Malicious Instruct" * Cyan Line: "Vanilla-jailbreakbench" * Light Cyan Dashed Line: "Vanilla-Malicious Instruct" * **Gridlines:** Present on both charts, aiding in value estimation. ### Detailed Analysis or Content Details **Vicuna-7b-v1.5 (Left Chart):** * **jailbreakbench (Red Line):** Starts at approximately 0.53, increases to a peak of around 0.66 at head number 4, then decreases slightly to approximately 0.62 at head number 5. * **Malicious Instruct (Light Red Dashed Line):** Starts at approximately 0.51, remains relatively stable around 0.52-0.54 between head numbers 1 and 3, then increases to approximately 0.58 at head number 4, and decreases to approximately 0.55 at head number 5. * **Vanilla-jailbreakbench (Cyan Line):** Starts at approximately 0.33, increases to approximately 0.42 at head number 2, then increases to approximately 0.52 at head number 3, then decreases to approximately 0.48 at head number 4, and finally decreases to approximately 0.45 at head number 5. * **Vanilla-Malicious Instruct (Light Cyan Dashed Line):** Remains consistently low, fluctuating between approximately 0.28 and 0.33 across all head numbers. **Llama-2-7b-chat (Right Chart):** * **jailbreakbench (Red Line):** Starts at approximately 0.74, decreases to approximately 0.70 at head number 2, then increases to approximately 0.76 at head number 3, then decreases to approximately 0.72 at head number 4, and finally decreases to approximately 0.70 at head number 5. * **Malicious Instruct (Light Red Dashed Line):** Remains consistently low, fluctuating between approximately 0.28 and 0.32 across all head numbers. * **Vanilla-jailbreakbench (Cyan Line):** Starts at approximately 0.64, increases to approximately 0.68 at head number 2, then decreases to approximately 0.66 at head number 3, then decreases to approximately 0.64 at head number 4, and finally decreases to approximately 0.62 at head number 5. * **Vanilla-Malicious Instruct (Light Cyan Dashed Line):** Remains consistently low, fluctuating between approximately 0.25 and 0.28 across all head numbers. ### Key Observations * **Vicuna-7b-v1.5:** The "jailbreakbench" attack has a significantly higher success rate than the "Malicious Instruct" attack, and the "Vanilla" variations consistently show lower success rates. Ablating heads initially increases the success rate of "jailbreakbench" before decreasing it slightly. * **Llama-2-7b-chat:** The "jailbreakbench" attack also has a higher success rate, but the effect of ablating heads is less pronounced. The "Malicious Instruct" and "Vanilla" variations remain consistently low. * **Vanilla Attacks:** The "Vanilla" attacks consistently have a much lower ASR than the non-Vanilla attacks for both models. * **Llama-2-7b-chat is more robust:** The ASR for Llama-2-7b-chat is generally higher than Vicuna-7b-v1.5, but the ASR remains relatively stable across all head numbers. ### Interpretation The data suggests that ablating heads can influence the vulnerability of language models to jailbreaking attacks, but the effect varies depending on the model and the attack prompt. The higher success rate of "jailbreakbench" attacks compared to "Malicious Instruct" attacks indicates that the models are more susceptible to prompts designed to bypass safety mechanisms through specific jailbreaking techniques. The consistently low success rates of the "Vanilla" attacks suggest that the models' inherent safety features are effective against simpler, non-crafted attacks. The difference in behavior between Vicuna-7b-v1.5 and Llama-2-7b-chat suggests that their architectures and training data lead to different vulnerabilities. The relative stability of Llama-2-7b-chat's ASR across head ablations could indicate a more distributed safety mechanism, while Vicuna-7b-v1.5's fluctuating ASR suggests that certain heads play a more critical role in resisting attacks. The observed trends highlight the importance of understanding how model architecture and training influence vulnerability to adversarial attacks. Further investigation could explore the specific roles of the ablated heads and identify strategies for mitigating these vulnerabilities.

## Line Charts: Attack Success Rate vs. Ablating Head Numbers ### Overview The image contains two side-by-side line charts comparing the Attack Success Rate (ASR) of different attack methods against two large language models (LLMs) as the number of ablated attention heads increases. The left chart is for the model "Vicuna-7b-v1.5," and the right chart is for "Llama-2-7b-chat." Each chart plots four data series, with shaded regions indicating confidence intervals or variance. ### Components/Axes * **Chart Titles:** * Left Chart: `Vicuna-7b-v1.5` * Right Chart: `Llama-2-7b-chat` * **Y-Axis (Both Charts):** Label: `Attack Success Rate (ASR)`. Scale ranges from 0.0 to 0.8, with major ticks at 0.0, 0.2, 0.4, 0.6, and 0.8. * **X-Axis (Both Charts):** Label: `Ablating Head Numbers`. Discrete values marked at 1, 2, 3, 4, and 5. * **Legend (Top-Left of each chart):** Contains four entries, consistent across both charts. 1. `Jailbreakbench`: Cyan solid line with diamond markers (◆). 2. `Malicious Instruct`: Red solid line with plus markers (+). 3. `Vanilla-Jailbreakbench`: Pink dashed line. 4. `Vanilla-Malicious Instruct`: Purple dashed line. ### Detailed Analysis **Left Chart: Vicuna-7b-v1.5** * **Jailbreakbench (Cyan, ◆):** Trend: Increases from x=1 to a peak at x=3, then slightly decreases. Points (approximate): (1, ~0.51), (2, ~0.56), (3, ~0.68), (4, ~0.62), (5, ~0.63). Shaded cyan region indicates variance. * **Malicious Instruct (Red, +):** Trend: Slight increase from x=1 to x=2, then decreases and plateaus. Points (approximate): (1, ~0.53), (2, ~0.55), (3, ~0.49), (4, ~0.49), (5, ~0.49). Shaded red region indicates variance. * **Vanilla-Jailbreakbench (Pink, dashed):** A flat, horizontal line at approximately ASR = 0.27 across all x-values. * **Vanilla-Malicious Instruct (Purple, dashed):** A flat, horizontal line at approximately ASR = 0.40 across all x-values. **Right Chart: Llama-2-7b-chat** * **Jailbreakbench (Cyan, ◆):** Trend: Increases from x=1 to a peak at x=3, then decreases. Points (approximate): (1, ~0.64), (2, ~0.71), (3, ~0.75), (4, ~0.69), (5, ~0.70). Shaded cyan region indicates variance. * **Malicious Instruct (Red, +):** Trend: Increases from x=1 to a peak at x=3, then decreases. Points (approximate): (1, ~0.67), (2, ~0.72), (3, ~0.76), (4, ~0.74), (5, ~0.70). Shaded red region indicates variance. * **Vanilla-Jailbreakbench (Pink, dashed):** A flat, horizontal line at approximately ASR = 0.07 across all x-values. * **Vanilla-Malicious Instruct (Purple, dashed):** A flat, horizontal line at approximately ASR = 0.04 across all x-values. ### Key Observations 1. **Model Vulnerability:** The Llama-2-7b-chat model exhibits a significantly higher baseline Attack Success Rate (ASR) for both active attack methods (Jailbreakbench and Malicious Instruct) compared to Vicuna-7b-v1.5, starting above 0.6 versus around 0.5. 2. **Effect of Ablation:** For both models and both active attack methods, ASR does not decrease monotonically with more ablated heads. Instead, it often peaks at 3 ablated heads before declining or stabilizing. 3. **Method Comparison:** On Vicuna, the `Jailbreakbench` method achieves a higher peak ASR (~0.68) than `Malicious Instruct` (~0.55). On Llama, the two methods perform very similarly, with `Malicious Instruct` having a marginally higher peak (~0.76 vs ~0.75). 4. **Vanilla Baselines:** The "Vanilla" (unmodified) attack baselines are constant and significantly lower than the active methods for both models. Notably, the vanilla baselines are much lower for Llama (~0.04-0.07) than for Vicuna (~0.27-0.40). 5. **Variance:** The shaded confidence intervals are wider for the active attack lines, especially around their peaks, indicating greater variability in results at those points. The vanilla baselines show no visible variance. ### Interpretation This data suggests that the security vulnerability of these LLMs, as measured by ASR, has a non-linear relationship with the ablation of attention heads. The peak vulnerability at 3 ablated heads for both models is a critical finding, indicating a potential "sweet spot" where the model's safety mechanisms are most compromised by this specific intervention. The stark difference in vanilla baseline ASR between Vicuna and Llama implies that Llama-2-7b-chat is inherently more susceptible to these attack benchmarks in its default state. However, the active attack methods (Jailbreakbench, Malicious Instruct) are effective at dramatically increasing the ASR for both models, with the effect being more pronounced on the initially more robust Vicuna model. The convergence of the two active attack methods' performance on Llama suggests that for this model, the specific attack strategy may matter less than the act of ablating heads itself. In contrast, on Vicuna, the `Jailbreakbench` method appears to be a more potent attack vector. The results highlight that model robustness is not a fixed property but can be dynamically manipulated through interventions like attention head ablation, with the impact varying significantly between model architectures.

## Line Graphs: Attack Success Rate (ASR) vs. Ablating Head Numbers for Vicuna-7b-v1.5 and Llama-2-7b-chat ### Overview The image contains two side-by-side line graphs comparing attack success rates (ASR) across different ablated head numbers (1–5) for two language models: **Vicuna-7b-v1.5** (left) and **Llama-2-7b-chat** (right). Three attack methods are analyzed: **Jailbreakbench** (cyan), **Malicious Instruct** (red), and **Vanilla-Malicious Instruct** (purple). Shaded regions represent confidence intervals. --- ### Components/Axes - **X-axis**: Ablating Head Numbers (1–5, integer steps). - **Y-axis**: Attack Success Rate (ASR) from 0.0 to 0.8. - **Legends**: - **Left Graph (Vicuna-7b-v1.5)**: Legend in top-left corner. - **Right Graph (Llama-2-7b-chat)**: Legend in top-right corner. - **Lines**: - **Jailbreakbench**: Cyan solid line with diamond markers. - **Malicious Instruct**: Red solid line with square markers. - **Vanilla-Malicious Instruct**: Purple dashed line with no markers. --- ### Detailed Analysis #### Left Graph (Vicuna-7b-v1.5) 1. **Jailbreakbench (Cyan)**: - Starts at ~0.52 (head 1), peaks at ~0.70 (head 3), then declines to ~0.63 (head 5). - Confidence interval widens slightly at head 3. 2. **Malicious Instruct (Red)**: - Starts at ~0.53 (head 1), peaks at ~0.55 (head 2), then declines to ~0.50 (head 5). - Confidence interval narrows at head 2. 3. **Vanilla-Malicious Instruct (Purple)**: - Flat line at ~0.40 across all heads. #### Right Graph (Llama-2-7b-chat) 1. **Jailbreakbench (Cyan)**: - Starts at ~0.65 (head 1), peaks at ~0.75 (head 3), then declines to ~0.70 (head 5). - Confidence interval widens at head 3. 2. **Malicious Instruct (Red)**: - Starts at ~0.70 (head 1), peaks at ~0.75 (head 3), then declines to ~0.72 (head 5). - Confidence interval narrows at head 3. 3. **Vanilla-Malicious Instruct (Purple)**: - Flat line at ~0.05 across all heads. --- ### Key Observations 1. **Jailbreakbench Dominates**: - Both models show Jailbreakbench achieving the highest ASR, with Llama-2-7b-chat consistently outperforming Vicuna-7b-v1.5. 2. **Malicious Instruct vs. Vanilla-Malicious Instruct**: - Malicious Instruct outperforms Vanilla-Malicious Instruct in both models, but the gap is smaller in Llama-2-7b-chat. 3. **Ablation Impact**: - ASR peaks at head 3 for both models, suggesting critical vulnerability in this head. 4. **Vanilla-Malicious Instruct Underperformance**: - Particularly weak in Llama-2-7b-chat (ASR ~0.05), indicating potential flaws in its design. --- ### Interpretation - **Model Vulnerability**: Llama-2-7b-chat exhibits higher ASR across all attack methods, suggesting it is more susceptible to jailbreaking than Vicuna-7b-v1.5. - **Head-Specific Weakness**: The peak at head 3 implies this attention head is critical for resisting attacks. Ablating it significantly reduces model robustness. - **Attack Method Efficacy**: - Jailbreakbench is the most effective attack, leveraging structural vulnerabilities. - Malicious Instruct’s performance gap over Vanilla