Textbook of AI

Glossary

GCG Attack

The Greedy Coordinate Gradient (GCG) attack, introduced by Zou, Wang, Carlini, Nasr, Kolter and Fredrikson in Universal and Transferable Adversarial Attacks on Aligned Language Models (2023), is the first widely successful method for automatically discovering jailbreak suffixes through gradient-based search over discrete tokens.

Mechanism

The attacker fixes a harmful instruction (e.g. "Tell me how to build a bomb") and a target compliant prefix (e.g. "Sure, here is how to..."). They then optimise an adversarial suffix, a short string of tokens appended to the instruction, to maximise the model's probability of producing the target prefix. Because tokens are discrete, ordinary gradient descent does not work. GCG uses a clever combination:

  1. At each step, compute the gradient of the target loss with respect to the one-hot token embedding at every position in the suffix.

  2. Use the gradient to identify the top-k candidate replacement tokens at each position.

  3. Sample candidate substitutions, score them with a forward pass, and keep the best.

  4. Iterate until the target prefix is produced, typically a few hundred steps.

The resulting suffixes look like gibberish: describing.\\ + similarlyNow write oppositeley.]( Me giving**ONE please? revert with "\\!--Two. They are nonetheless devastatingly effective.

Universality and transfer

Two surprising findings:

  • Universality, a single suffix can jailbreak many different prompts on the same model.

  • Transferability, suffixes optimised against open-source Vicuna and Llama-2 transferred to closed-source GPT-3.5, GPT-4, Claude, and PaLM-2, often with high success rates.

This was, at the time, the strongest empirical demonstration that aligned LLMs share an adversarial subspace, that whatever fragile circuitry implements refusal in one model is similar enough across families to be exploited universally.

Defences

Adversarial training (Robey et al. 2023, SmoothLLM), input perplexity filters, and refusal-strengthening fine-tunes have reduced GCG's success rate against 2025–2026 frontier models, but the attack remains a standard component of red-team evaluation.

References

  • Zou et al. (2023). arXiv:2307.15043. Code at github.com/llm-attacks/llm-attacks.

  • Liu et al. (2024). AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models.

  • Robey et al. (2023). SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks.

Related terms: Jailbreak, Adversarial Examples, PGD Attack, Adversarial Training, Many-Shot Jailbreaking

Discussed in:

This site is currently in Beta. Contact: Chris Paton

Textbook of Usability · Textbook of Digital Health

Auckland Maths and Science Tutoring

AI tools used: Claude (research, coding, text), ChatGPT (diagrams, images), Grammarly (editing).