Challenge: Existing defenses, including post-training alignment and prompt engineering, struggle with adaptability to out-of-distribution (OOD) attacks.
Approach: They propose an adversarial game-based defense method that dynamically adjusts LLMs’ internal representations to achieve a balanced trade-off between helpfulness and harmlessness.
Outcome: The proposed method improves LLMs’ safety over all baselines.

Similar Papers

Defending Jailbreak Prompts via In-Context Adversarial Game (2024.emnlp-main)

Copied to clipboard

Challenge: Large Language Models (LLMs) demonstrate remarkable capabilities across diverse applications, but concerns regarding their security persist.
Approach: They propose an adversarial game that leverages agent learning to extend knowledge to defend against jailbreaks.
Outcome: The proposed game shows that LLMs safeguarded by ICAG exhibit significantly reduced jailbreak success rates across various attack scenarios.
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)

Copied to clipboard

Challenge: Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks.
Approach: They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability.
Outcome: ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs.
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)

Copied to clipboard

Challenge: Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries .
Approach: They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area.
Outcome: The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%.
Beyond Surface-Level Patterns: An Essence-Driven Defense Framework Against Jailbreak Attacks in LLMs (2025.findings-acl)

Copied to clipboard

Challenge: Existing methods focus on surface-level patterns, overlooking the deeper attack essences.
Approach: They propose an Essence-Driven Defense Framework Against Jailbreak Attacks in Aligned Large Language Models that extracts the "attack essence" from a diverse set of known attack instances and stores it in an offline vector database.
Outcome: The proposed framework outperforms existing methods by reducing the Attack Success Rate by at least 20%, underscoring its superior robustness against jailbreak attacks.
RePD: Defending Jailbreak Attack through a Retrieval-based Prompt Decomposition Process (2025.findings-naacl)

Copied to clipboard

Challenge: Large Language Models (LLMs) are still susceptible to jailbreak exploits despite rigorous pre-training and fine-tuning focused on ethical alignment .
Approach: They propose a Retrieval-based attack Retriest-based Prompt Decomposition framework that decomposes harmful queries embedded within user prompts into a one-shot learning example to effectively teach the LLM to discern and separate malicious components.
Outcome: The proposed framework is capable of decomposing harmful queries from the original query and enhancing the resilience of large language models against jailbreak attacks without compromising their performance.
Defending Large Language Models Against Jailbreak Attacks via Layer-specific Editing (2024.findings-emnlp)

Copied to clipboard

Challenge: Existing defense methods focus on detecting harmful prompts or reducing the likelihood of harmful responses.
Approach: They propose a layer-specific editing method to align LLMs to harmful prompts by supervised fine-tuning and reinforcement learning.
Outcome: The proposed method improves the performance of large language models against jailbreak attacks while maintaining performance on benign prompts.
Activation-Guided Local Editing for Jailbreaking Attacks (2026.acl-long)

Copied to clipboard

Challenge: Existing methods for jailbreaking Large Language Models (LLMs) are limited and produce incoherent or unreadable inputs.
Approach: They propose a two-stage framework that performs a one-shot, scenario-based generation of context and rephrases the original malicious query to obscure its harmful intent.
Outcome: The proposed framework achieves state-of-the-art Attack Success Rate, with gains of up to 37.74% over the strongest baseline, and excellent transferability to black-box and large-scale models.
A Wolf in Sheep’s Clothing: Generalized Nested Jailbreak Prompts can Fool Large Language Models Easily (2024.naacl-long)

Copied to clipboard

Challenge: Existing methods for generating 'jailbreaks' suffer from manual design or require optimization on other white-box models, which compromises either generalization or efficiency.
Approach: They propose a framework that leverages LLMs to generate effective jailbreak prompts and a generalized framework that can be used to generate prompts.
Outcome: The proposed framework improves the attack success rate while reducing the time cost compared to baselines.
Defending LLMs against Jailbreak Attacks via Template-Based ICL with a Defensive Suffix (2026.findings-acl)

Copied to clipboard

Challenge: State-of-the-art large language models (LLMs) are vulnerable to jailbreak attacks, such as GCG and AutoDAN.
Approach: They propose to take the advances of online In-Context Learning and an offline defensive suffix and optimize them using an iterative algorithm and an online stochastic random search to identify the most effective ICL demonstrations.
Outcome: The proposed method reduces attack success rate to nearly *0% while maintaining the model’s utility on benign tasks and incurring only *negligible* computational overhead.
Shaping the Safety Boundaries: Understanding and Defending Against Jailbreaks in Large Language Models (2025.acl-long)

Copied to clipboard

Challenge: Understanding how jailbreaking works remains limited, hindering the development of effective defense strategies.
Approach: They propose a new mechanism that adaptively constrains activations within the safety boundary and propose 'Activation Boundary Defense' to enhance its effectiveness.
Outcome: The proposed defense achieves an average Defense Success Rate (DSR) of over 98% against various jailbreak attacks, with less than 2% impact on the model’s general capabilities.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations