Argmin AIArgmin AI
About usOptimize your agent
RLHFBasic RAGPrompt OptimizationAgentic RAGQuantizationSafety BenchmarksLLM-as-a-JudgeChain-of-ThoughtMulti-Agent SystemsFunction CallingEfficient InferenceHallucination Detection

JudgeDeceiver: automatically craft prompts that reliably trick LLM-as-a-Judge to pick an attacker’s response

LLM EvaluationLLM-as-a-JudgePrompt InjectionAdversarial PromptsMethod
March 26, 20248 min

Overview

Decision SnapshotNeeds Validation

Method is experimentally well-supported on open-source judges and benchmarks; it needs attacker access to modify a candidate and relies on shadow-response simulation, so real-world risk is high for similar open systems.

Citations2

Evidence Strength0.80

Confidence0.88

Risk Signals11

Trust Signals

Findings with numeric evidence: 6/6

Findings with evidence refs: 6/6

Results with explicit delta: 1/6

Reproducibility

Status: Code + data available

Open source: Partial

At A Glance

Cost impact: 60%

Production readiness: 20%

Novelty: 70%

Authors

Jiawen Shi, Zenghui Yuan, Yinuo Liu, Yue Huang, Pan Zhou, Lichao Sun, Neil Zhenqiang Gong

Links

Abstract / PDF / Code / Data

Why It Matters For Business

If your product uses LLMs to rank or judge content, attackers can bottle-manufacture short token suffixes that make the judge pick malicious or low-quality content. This can poison leaderboards, search results, automated labels for training, or tool selection.

Who Should Care

CTOProduct ManagerML EngineerEngineering LeadData Scientist

Summary TLDR

The paper introduces JudgeDeceiver, an automatic, gradient-guided method that appends a short injected token sequence to an attacker-controlled candidate. On open-source judge models and two evaluation sets, the attack forces the judge to pick the attacker’s response with very high success (often >90%) and remains robust to response-order changes. Common defenses (known-answer checks, perplexity filters) miss many attacks. The authors release code and evaluate transferability, ablations, and three real scenarios: LLM-powered search, RLAIF, and tool selection.

Problem Statement

LLM-as-a-Judge systems pick the best answer from multiple candidates. If an attacker can add text to one candidate, can they reliably bias the judge to choose that candidate? Existing prompt-injection and jailbreak tricks are manual and brittle. The paper asks whether an optimization-based injected sequence can consistently manipulate judge outputs across unknown candidate sets and positions.

Main Contribution

JudgeDeceiver: a first optimization-based attack that automatically generates injected sequences to bias LLM-as-a-Judge.

A loss formulation combining target-aligned generation, positional (target-enhancement), and adversarial perplexity terms, solved with discrete gradient-guided search.

Key Findings

JudgeDeceiver yields high attack success rates against open-source judges.

NumbersASR = 90.8% (Mistral-7B, MT-Bench average)

Practical UseIf you run an open-source LLM judge like Mistral-7B, a crafted 20-token suffix can make the judge pick a malicious candidate about 9 out of 10 times; add human checks or change judge design.

Evidence RefTable 1 (MT-Bench, Mistral-7B)

The attack keeps working when response order changes.

NumbersPAC = 83.4% (Mistral-7B, MT-Bench average)

Practical UsePosition randomization alone is a weak defense: in many cases the injected candidate remains the chosen one across different input orders.

Evidence RefTable 1 (PAC)

Results

MetricValueBaselineDeltaSplit / DatasetEvidenceEvidence Ref
ASR (attack success rate)90.8% average (Mistral-7B, MT-Bench)MT-BenchTable 1 (MT-Bench, Mistral-7B results)Table 1
PAC (positional attack consistency)83.4% average (Mistral-7B, MT-Bench)MT-BenchTable 1 (PAC values)Table 1

What To Try In 7 Days

Audit recent judge decisions for suspicious clustering of a single submitter across queries.

Add human spot-checks for leaderboard entries and search filters, prioritizing high-impact queries.

Limit or sanitize untrusted candidate content before passing to the judge (e.g., strip suspicious trailing tokens). note this is imperfect but reduces risk quickly.

Optimization Features

Token Efficiency
20-token suffix optimization (compact suffixes shown effective)

Reproducibility

Code AvailableYes
Data AvailableYes
Open Source StatusPartial
LicenseUnknown

Code URLs

https://github.com/ShiJiawenwen/JudgeDeceiver

Data URLs

MT-Bench (public benchmark)LLMBar (public benchmark)HH-RLHF (public dataset)

Risks & Boundaries

Limitations

Assumes attacker can submit or modify one candidate response and knows the target question-response pair.

Evaluations focus on open-source judges; proprietary API-based judges may behave differently.

When Not To Use

When all candidate responses are fully curated and not editable by external users.

When the judge model is a closed proprietary LLM with unknown behavior and no public prompt template.

Failure Modes

Human review or manual audits detect and override malicious selections.

Aggressive input sanitization or truncation removes or neutralizes the injected suffix.

Core Entities

Models

Mistral-7B-InstructLlama-2-7B-chatLlama-3-8B-InstructOpenchat-3.5Vicuna-7BVicuna-13BGPT-3.5-turboGPT-4

Metrics

ASRPACACCASR-BFNRFPR

Datasets

MT-BenchLLMBarHH-RLHFMetaTool (tool selection benchmark)

Benchmarks

MT-BenchLLMBarMetaTool

You May Also Want to Read

Make LLM judges reliable and cheaper: EIF and tuned PPI give tighter, valid evaluation with few labels

0.70
0.60
0.70
0

You can get valid, narrower confidence intervals for model evaluation while labeling far fewer examples by using EIF or tuned PPI, which saves annotation cost and gives more precise decisions about model comparisons.

Key finding

EIF-based estimators (and optimally tuned PPI++) produce substantially narrower confidence intervals than standard PPI in simulations.

Numbers: CI width 3555% smaller vs PPI (Section 5.3; Fig.4)

Model rankings from LLM judges become less biased and get valid confidence intervals when you down-weight unreliable judges

0.70
0.60
0.60
0

If you use LLMs to evaluate other models or products, weighting judges by inferred reliability reduces bias, yields calibrated uncertainty, and saves annotation cost when judges or data are limited.

Key finding

Judge-aware aggregation produces narrower confidence intervals than unweighted aggregation on real data.

Numbers: Average CI width 0.185 vs 0.211 (13.5% narrower)

Large Llama models beat smaller ones on iCliniq medical QA; LLM judges help measure clinical quality

0.30
0.30
0.60
0

This paper shows large open models can give much better zero-shot medical answers, but parameter-efficient architectures can approach top quality. For product teams, that means you can trade compute cost for accuracy and still get usable clinical answers if you pick the right model and add quality checks.

Key finding

Llama-3.3-70B achieved the highest automatic and judge scores.

Numbers: BLEU-1 0.2207; ROUGE-1 0.2761; Judge 4.40/5

A judge-free, n-gram benchmark that approximates GPT-4 judging for Japanese Q&A

0.70
0.55
0.80
0

You can cheaply and deterministically evaluate short Japanese Q&A outputs without repeated human or expensive LLM judging, cutting evaluation cost and speeding model iteration.

Key finding

Benchmark scores correlate very highly with GPT-4o judge scores.

Numbers: Pearson r = 0.9896 (Section 5.2; Fig.4)

Professional multilingual TruthfulQA shows truth gaps across languages but smaller than expected

0.60
0.50
0.60
0

Multilingual truth checks are necessary: models can be less accurate in low-resource languages and simple automatic scores (MC2) can mislead decisions; judge-style evaluation and MT-enabled datasets reduce cost and improve cross-lingual assessment.

Key finding

LLM-as-a-Judge correlates better with humans than MC2.

Numbers: Cohen Kappa: Judge (Gemma-2-9b-inst) vs human up to 0.75; MC2 lower