Challenge: Existing jailbreak attacks primarily utilize scenario camouflage techniques, however their explicit mention of malicious intent will be easily recognized and defended by LLMs.
Approach: They propose an indirect jailbreak attack approach, Puzzler, which can bypass LLM’s defensive strategies and obtain malicious response by implicitly providing LLMs with some clues about the original malicious query.
Outcome: The proposed approach can bypass the LLM’s defensive strategies and obtain malicious response by implicitly providing LLMs with some clues about the original malicious query.

Similar Papers

JailbreakRadar: Comprehensive Assessment of Jailbreak Attacks Against LLMs (2025.acl-long)

Copied to clipboard

Challenge: Large language models (LLMs) have been used to mitigate misuse and to align with human values.
Approach: They propose to use large-scale evaluations of various jailbreak attacks to identify key patterns and test them under eight advanced defenses.
Outcome: The proposed attacks achieve high success rates but are easy to mitigate by defenses.
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)

Copied to clipboard

Challenge: Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models.
Approach: They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints.
Outcome: The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks.
DeTAM: Defending LLMs Against Jailbreak Attacks via Targeted Attention Modification (2025.findings-acl)

Copied to clipboard

Challenge: Existing defense methods rely on fine-tuning or input modification, which suffer from limited generalization and reduced utility.
Approach: They propose a finetuning-free approach that improves the defensive capabilities against jailbreak attacks of LLMs via targeted attention modification.
Outcome: The proposed approach outperforms baselines in jailbreak defense and exhibits robust generalization across attacks and models, maintaining its effectiveness even on in-the-wild jailbreak data.
Intention Analysis Makes LLMs A Good Jailbreak Defender (2025.coling-main)

Copied to clipboard

Challenge: Existing methods to align large language models with human values overlook the intrinsic nature of jailbreaks, which limits their effectiveness in complex scenarios.
Approach: They propose a simple yet highly effective defense strategy, i.e., Intention Analysis (IA). They show that IA suppresses LLM’s tendency to follow jailbreak prompts, thereby enhancing safety.
Outcome: The proposed strategy reduces harmfulness of LLMs and outperforms GPT-3.5 in attack success rate.
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)

Copied to clipboard

Challenge: Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries .
Approach: They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area.
Outcome: The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%.
Tricking LLMs into Disobedience: Formalizing, Analyzing, and Detecting Jailbreaks (2024.lrec-main)

Copied to clipboard

Challenge: Existing methods to jailbreak large language models have been poorly studied . a recent study showed that non-expert users can jailbreak LLMs by manipulating their prompts .
Approach: They propose a formalism and a taxonomy of known (and possible) jailbreaks . they propose generating a dataset of model outputs across 3700 jailbreak prompts a 'prompt' attack is a new attack popularly categorized as "prompting injection attacks"
Outcome: The proposed model exploits 3700 jailbreak prompts over 4 tasks to analyze their effectiveness . authors show that the model can learn to perform a new task on unseen examples .
From Attack Surfaces to Actual Operations: A Survey of Modern LLM Jailbreaks (2026.findings-acl)

Copied to clipboard

Challenge: Existing taxonomies focus on manipulation methods rather than underlying mechanisms, limiting our understanding of attack effectiveness and defensive strategies.
Approach: They propose a two-fold taxonomy to categorize attacks across three tiers based on exploited vulnerabilities and approaches and an operational taxonomies to evaluate attacks across four dimensions.
Outcome: The proposed taxonomy categorizes attacks across three tiers based on exploited vulnerabilities and approaches and evaluates attacks on four dimensions to assess real-world feasibility and sustainability.
Defending Large Language Models Against Jailbreaking Attacks Through Goal Prioritization (2024.acl-long)

Copied to clipboard

Challenge: Despite the success of jailbreaking attacks, there is a lack of effort in defending against them.
Approach: They propose to integrate goal prioritization at both training and inference stages to counteract this conflict between the goals of being helpful and ensuring safety.
Outcome: The proposed approach reduces the Attack Success Rate (ASR) of jailbreaking from 66.4% to 3.6% for ChatGPT and reduces it from 71.0% to 6.6% for Llama2-13B.
WordGame: Efficient & Effective LLM Jailbreak via Simultaneous Obfuscation in Query and Response (2025.findings-naacl)

Copied to clipboard

Challenge: Recent advances in large language models have raised concerns about their susceptibility to jailbreaking attacks, which leads to harmful content inadvertently.
Approach: They propose to exploit the safety alignment patterns of LLMs by simultaneous obfuscation in queries and responses to break down adversarial intent of query.
Outcome: The proposed attack breaks down adversarial intent of query and encourages benign content regarding the games to precede anticipated harmful content in the response.
Defending LLMs against Jailbreaking Attacks via Backtranslation (2024.findings-acl)

Copied to clipboard

Challenge: Recent advancement in large language models (LLMs) has shown their extensive applications and transformative potential to reshape people's lives.
Approach: They propose a method which uses backtranslation to infer an input prompt from an input input prompt and then run it again on the backtranslated prompt.
Outcome: The proposed method outperforms baselines and has little impact on the generation quality for benign input prompts.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations