FlashRT：高效红队测试框架加速长上下文大模型安全评估

FlashRT is the first optimized red team testing framework tailored for long-context large language models (LLMs). It achieves 2-7x speedup and 2-4x memory saving through dual optimizations in computation and memory efficiency, enabling academic researchers to systematically evaluate the security of long-context LLMs.

Long-context LLMs (e.g., Gemini-3.1-Pro, Qwen-3.5) face growing security threats like prompt injection (hidden malicious instructions) and knowledge corruption (polluting model knowledge). While optimized red team methods offer stricter evaluations, they are resource-intensive, creating an 'evaluation gap' for academics lacking access to large computing clusters.

Computation Optimization

FlashRT delivers 2-7x speedup via attention-aware key position targeting, efficient gradient calculation, and smart search pruning.

Memory Optimization

It cuts memory usage by 2-4x using improved gradient checkpointing, activation recomputation, and chunked context processing (e.g., 32K token context: 65.7GB vs baseline's 264.1GB).

Versatility

Compatible with mainstream attack methods (TAP, AutoDAN) and features a modular architecture for easy extension.

FlashRT outperforms baseline method nanoGCG in all test configurations:

• Speed: 2-7x faster (1-hour tasks done in <10 mins).
• Memory: 50-75% reduction, enabling single consumer GPU use.
• Attack Effectiveness: Equivalent or better success rate,隐蔽性 (concealment), and迁移性 (transferability) compared to baselines.

FlashRT democratizes long-context LLM security evaluation for academics, accelerates defense strategy iteration (faster attack testing), and contributes to the open-source ecosystem (GitHub code available for community collaboration).

Limitations

• Primarily optimized for white-box attacks (less effective for black-box/API scenarios).
• Focuses on prompt injection and knowledge corruption (other threats like jailbreaking need validation).
• Super large contexts (100K+ tokens) still require further optimization.

Future Plans

• Explore black-box scenario optimizations.
• Extend support for more attack types.
• Enhance efficiency for ultra-long contexts.