CyLab Research Talk - Matan Ben-Tov
June 29, 2026 12:00PM—1:00PM
Location:
In Person
-
Mehrabian Collaborative Innovation Center, Conference Room 1301
Speaker:
MATAN BEN-TOV,
Ph.D. StudentSchool of Computer ScienceTel Aviv University
https://matanbt.github.io/
Attacks on machine learning (ML) are a powerful tool for evaluating ML model robustness, and for revealing new vulnerabilities, but also—as I show in my research—for understanding inherent weaknesses in these models. In this talk I will demonstrate the benefits of thorough vulnerability studies of LLMs and text-embedding models and introduce a framework for rapidly implementing new attacks against any NLP model.
First, I will explore the susceptibility of embedding-based text retrievers to Search Engine Optimization (SEO) attacks. I will introduce a powerful attack (GASLITE) that successfully promotes adversarial content across retrieval queries. Then, I’ll show how we use this attack as a framework for understanding model susceptibility, and identifying geometry factors connected to this susceptibility. Finally, I will show how we utilize these insights to form a defense making embedding models more robust to these attacks.
Second, I will focus on GCG (Zou et al. ‘23)—a popular suffix-based LLM jailbreak—and present a mechanistic analysis of its inner-workings. This analysis shows the attack’s core effect is concentrated in the final chat template tokens, whose representations are aggressively manipulated during the generation process—a phenomenon we term hijacking. I will then tie hijacking to jailbreaks’ generalizability, demonstrating that more universal suffixes are stronger hijackers, and that suppressing hijacking mitigates attacks.
Third, discrete text-trigger optimizers (e.g., GCG, GASLITE) have become invaluable for NLP security research and interpretability alike. Yet their engineering overhead raises the bar for adopting them in new domains or against new defenses, benchmarking, and advancing their frontier. I will introduce TROPT, an open-source framework for executing and developing discrete optimizers, already shipping 40+ optimization schemes serving various use cases. Crucially, its modularity lets users run any optimizer while seamlessly swapping its objective (e.g., auditing LLMs for new behaviors) or its target model (e.g., manipulating an embedding model). I will show how we used TROPT for extensive comparisons across optimizers and jailbreaks, and to introduce novel attacks.
—
Matan Ben-Tov is a PhD student at Tel Aviv University, supervised by Dr. Mahmood Sharif. He studies vulnerabilities and flaws in text representation and text generation ML models, as well as interpretability approaches to deepen understanding of models’ weaknesses and improve their security.
For More Information:
bfrost@andrew.cmu.edu