Play Guessing Game with LLM: Indirect Jailbreak Attack with Implicit Clues (2024.findings-acl)
Copied to clipboard
| Challenge: | Existing jailbreak attacks primarily utilize scenario camouflage techniques, however their explicit mention of malicious intent will be easily recognized and defended by LLMs. |
| Approach: | They propose an indirect jailbreak attack approach, Puzzler, which can bypass LLM’s defensive strategies and obtain malicious response by implicitly providing LLMs with some clues about the original malicious query. |
| Outcome: | The proposed approach can bypass the LLM’s defensive strategies and obtain malicious response by implicitly providing LLMs with some clues about the original malicious query. |
Similar Papers
JailbreakRadar: Comprehensive Assessment of Jailbreak Attacks Against LLMs (2025.acl-long)
Copied to clipboard
| Challenge: | Large language models (LLMs) have been used to mitigate misuse and to align with human values. |
| Approach: | They propose to use large-scale evaluations of various jailbreak attacks to identify key patterns and test them under eight advanced defenses. |
| Outcome: | The proposed attacks achieve high success rates but are easy to mitigate by defenses. |
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models. |
| Approach: | They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints. |
| Outcome: | The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks. |
DeTAM: Defending LLMs Against Jailbreak Attacks via Targeted Attention Modification (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing defense methods rely on fine-tuning or input modification, which suffer from limited generalization and reduced utility. |
| Approach: | They propose a finetuning-free approach that improves the defensive capabilities against jailbreak attacks of LLMs via targeted attention modification. |
| Outcome: | The proposed approach outperforms baselines in jailbreak defense and exhibits robust generalization across attacks and models, maintaining its effectiveness even on in-the-wild jailbreak data. |
Intention Analysis Makes LLMs A Good Jailbreak Defender (2025.coling-main)
Copied to clipboard
| Challenge: | Existing methods to align large language models with human values overlook the intrinsic nature of jailbreaks, which limits their effectiveness in complex scenarios. |
| Approach: | They propose a simple yet highly effective defense strategy, i.e., Intention Analysis (IA). They show that IA suppresses LLM’s tendency to follow jailbreak prompts, thereby enhancing safety. |
| Outcome: | The proposed strategy reduces harmfulness of LLMs and outperforms GPT-3.5 in attack success rate. |
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries . |
| Approach: | They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area. |
| Outcome: | The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%. |
Tricking LLMs into Disobedience: Formalizing, Analyzing, and Detecting Jailbreaks (2024.lrec-main)
Copied to clipboard
| Challenge: | Existing methods to jailbreak large language models have been poorly studied . a recent study showed that non-expert users can jailbreak LLMs by manipulating their prompts . |
| Approach: | They propose a formalism and a taxonomy of known (and possible) jailbreaks . they propose generating a dataset of model outputs across 3700 jailbreak prompts a 'prompt' attack is a new attack popularly categorized as "prompting injection attacks" |
| Outcome: | The proposed model exploits 3700 jailbreak prompts over 4 tasks to analyze their effectiveness . authors show that the model can learn to perform a new task on unseen examples . |
From Attack Surfaces to Actual Operations: A Survey of Modern LLM Jailbreaks (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing taxonomies focus on manipulation methods rather than underlying mechanisms, limiting our understanding of attack effectiveness and defensive strategies. |
| Approach: | They propose a two-fold taxonomy to categorize attacks across three tiers based on exploited vulnerabilities and approaches and an operational taxonomies to evaluate attacks across four dimensions. |
| Outcome: | The proposed taxonomy categorizes attacks across three tiers based on exploited vulnerabilities and approaches and evaluates attacks on four dimensions to assess real-world feasibility and sustainability. |
Defending Large Language Models Against Jailbreaking Attacks Through Goal Prioritization (2024.acl-long)
Copied to clipboard
| Challenge: | Despite the success of jailbreaking attacks, there is a lack of effort in defending against them. |
| Approach: | They propose to integrate goal prioritization at both training and inference stages to counteract this conflict between the goals of being helpful and ensuring safety. |
| Outcome: | The proposed approach reduces the Attack Success Rate (ASR) of jailbreaking from 66.4% to 3.6% for ChatGPT and reduces it from 71.0% to 6.6% for Llama2-13B. |
WordGame: Efficient & Effective LLM Jailbreak via Simultaneous Obfuscation in Query and Response (2025.findings-naacl)
Copied to clipboard
| Challenge: | Recent advances in large language models have raised concerns about their susceptibility to jailbreaking attacks, which leads to harmful content inadvertently. |
| Approach: | They propose to exploit the safety alignment patterns of LLMs by simultaneous obfuscation in queries and responses to break down adversarial intent of query. |
| Outcome: | The proposed attack breaks down adversarial intent of query and encourages benign content regarding the games to precede anticipated harmful content in the response. |
Defending LLMs against Jailbreaking Attacks via Backtranslation (2024.findings-acl)
Copied to clipboard
| Challenge: | Recent advancement in large language models (LLMs) has shown their extensive applications and transformative potential to reshape people's lives. |
| Approach: | They propose a method which uses backtranslation to infer an input prompt from an input input prompt and then run it again on the backtranslated prompt. |
| Outcome: | The proposed method outperforms baselines and has little impact on the generation quality for benign input prompts. |