ProjectTextAttack: A Study on Robustness Evaluation of Large Language Models Against Jailbreak Attacks

This study is based on the TextAttack framework and evaluates the security of three mainstream open-source large language models—LLaMA3.3, GPT-OSS, and Qwen3—using 11 jailbreak attack techniques. The core question is whether the current model safety alignment mechanisms can resist structured jailbreak attacks. The study found that GPT-OSS exhibits excellent resistance (attack success rate of only 5%), while LLaMA3.3 has the most severe vulnerabilities (attack success rate of 70%), revealing differences in the vulnerability of safety alignment mechanisms among mainstream models.

As the capabilities of large language models improve, ensuring they are not maliciously used to generate harmful content has become a core issue in AI safety. Developers invest significant resources in safety alignment training, but attackers continue to develop "jailbreak" techniques to bypass safety guardrails. This project was completed by an ECE Bachelor student team (including Philippe PENG) under the guidance of mentors Yann FORNIER and Simon VANDAMME, aiming to systematically evaluate the robustness of mainstream LLMs against jailbreak attacks.

The study is based on the TextAttack framework (extending its jailbreak testing capabilities for generative LLMs) and manually constructs a dataset containing 141 prompts, covering 11 jailbreak attack techniques: DAN style, academic framework, developer mode, code obfuscation, fictional narrative, historical role-playing, hypothetical distance, instruction manipulation, language switching, film/game scenarios, and social engineering. Each prompt includes metadata such as id, technique, and quest, stored in CSV format.

The test models include three mainstream open-source LLMs:

Model	Type	Version	API Platform	Temperature	Top-p
LLaMA3.3	Open-source	llama-3.3-70b-versatile	Groq	0.7	0.9
GPT-OSS	Open-source	openai/gpt-oss-120b	Groq	0.7	0.9
Qwen3	Open-source	qwen/qwen3-32b	Groq	0.7	0.9
All model parameters are consistent, and environmental consistency is ensured through the promptfoo evaluation framework and Docker containerized deployment.

Evaluation metrics include Attack Success Rate (ASR), Personality Adoption Rate, and Hallucination Rate. The results are as follows:

Model	ASR (%)	Personality Adoption Rate (%)	Hallucination Rate (%)
llama-3.3-70b	70.0	20.0	3.6
qwen3-32b	58.6	15.7	2.9
gpt-oss-120b	5.0	0.7	0.7
Key findings: GPT-OSS has the strongest resistance, LLaMA3.3 has the most severe vulnerabilities, and Qwen3 performs moderately.

1. Safety alignment requires continuous iteration: Even after alignment training, LLMs are still vulnerable to structured attacks; 2. Safety responsibility for open-source models: The high ASR of LLaMA and Qwen raises concerns about the risk of misuse of open-source models; 3. Standardization of evaluation: This project demonstrates the importance of systematic evaluation (standardized attack classification, unified processes, multi-dimensional metrics), which can provide data support for model selection and safety improvements.