This chapter moves into more sophisticated methods attackers might use to evade detection or extract information from Large Language Models. We will look at techniques that often require a greater understanding of the model's workings or more intricate manipulation of inputs and system interactions.

You will learn about gradient-based attacks, which can be particularly effective if an attacker has some knowledge of the model architecture, often represented by its parameters $\theta$ in a function like $M(x; \theta)$. We will also cover transfer attacks using substitute models, membership inference for identifying training data, and model stealing techniques. Furthermore, this chapter addresses methods for bypassing input filters and output sanitizers, chaining multiple attack techniques for increased impact, and strategies employed in low-resource or black-box scenarios.

Understanding these advanced offensive tactics is key to developing more resilient defenses and anticipating a wider range of potential threats to LLM systems. The chapter includes a practical exercise simulating an information exfiltration scenario to help apply these concepts.