AGD: Adversarial Game Defense Against Jailbreak Attacks in Large Language Models (2025.acl-long)
Copied to clipboard
Shilong Pan, Zhiliang Tian, Zhen Huang, Wanlong Yu, Zhihua Wen, Xinwang Liu, Kai Lu, Minlie Huang, Dongsheng Li
| Challenge: | Existing defenses, including post-training alignment and prompt engineering, struggle with adaptability to out-of-distribution (OOD) attacks. |
| Approach: | They propose an adversarial game-based defense method that dynamically adjusts LLMs’ internal representations to achieve a balanced trade-off between helpfulness and harmlessness. |
| Outcome: | The proposed method improves LLMs’ safety over all baselines. |
Similar Papers
Defending Jailbreak Prompts via In-Context Adversarial Game (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) demonstrate remarkable capabilities across diverse applications, but concerns regarding their security persist. |
| Approach: | They propose an adversarial game that leverages agent learning to extend knowledge to defend against jailbreaks. |
| Outcome: | The proposed game shows that LLMs safeguarded by ICAG exhibit significantly reduced jailbreak success rates across various attack scenarios. |
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)
Copied to clipboard
Chung-En Sun, Xiaodong Liu, Weiwei Yang, Tsui-Wei Weng, Hao Cheng, Aidan San, Michel Galley, Jianfeng Gao
| Challenge: | Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks. |
| Approach: | They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability. |
| Outcome: | ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs. |
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries . |
| Approach: | They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area. |
| Outcome: | The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%. |
Beyond Surface-Level Patterns: An Essence-Driven Defense Framework Against Jailbreak Attacks in LLMs (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing methods focus on surface-level patterns, overlooking the deeper attack essences. |
| Approach: | They propose an Essence-Driven Defense Framework Against Jailbreak Attacks in Aligned Large Language Models that extracts the "attack essence" from a diverse set of known attack instances and stores it in an offline vector database. |
| Outcome: | The proposed framework outperforms existing methods by reducing the Attack Success Rate by at least 20%, underscoring its superior robustness against jailbreak attacks. |
RePD: Defending Jailbreak Attack through a Retrieval-based Prompt Decomposition Process (2025.findings-naacl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) are still susceptible to jailbreak exploits despite rigorous pre-training and fine-tuning focused on ethical alignment . |
| Approach: | They propose a Retrieval-based attack Retriest-based Prompt Decomposition framework that decomposes harmful queries embedded within user prompts into a one-shot learning example to effectively teach the LLM to discern and separate malicious components. |
| Outcome: | The proposed framework is capable of decomposing harmful queries from the original query and enhancing the resilience of large language models against jailbreak attacks without compromising their performance. |
Defending Large Language Models Against Jailbreak Attacks via Layer-specific Editing (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Existing defense methods focus on detecting harmful prompts or reducing the likelihood of harmful responses. |
| Approach: | They propose a layer-specific editing method to align LLMs to harmful prompts by supervised fine-tuning and reinforcement learning. |
| Outcome: | The proposed method improves the performance of large language models against jailbreak attacks while maintaining performance on benign prompts. |
Activation-Guided Local Editing for Jailbreaking Attacks (2026.acl-long)
Copied to clipboard
| Challenge: | Existing methods for jailbreaking Large Language Models (LLMs) are limited and produce incoherent or unreadable inputs. |
| Approach: | They propose a two-stage framework that performs a one-shot, scenario-based generation of context and rephrases the original malicious query to obscure its harmful intent. |
| Outcome: | The proposed framework achieves state-of-the-art Attack Success Rate, with gains of up to 37.74% over the strongest baseline, and excellent transferability to black-box and large-scale models. |
A Wolf in Sheep’s Clothing: Generalized Nested Jailbreak Prompts can Fool Large Language Models Easily (2024.naacl-long)
Copied to clipboard
| Challenge: | Existing methods for generating 'jailbreaks' suffer from manual design or require optimization on other white-box models, which compromises either generalization or efficiency. |
| Approach: | They propose a framework that leverages LLMs to generate effective jailbreak prompts and a generalized framework that can be used to generate prompts. |
| Outcome: | The proposed framework improves the attack success rate while reducing the time cost compared to baselines. |
Defending LLMs against Jailbreak Attacks via Template-Based ICL with a Defensive Suffix (2026.findings-acl)
Copied to clipboard
| Challenge: | State-of-the-art large language models (LLMs) are vulnerable to jailbreak attacks, such as GCG and AutoDAN. |
| Approach: | They propose to take the advances of online In-Context Learning and an offline defensive suffix and optimize them using an iterative algorithm and an online stochastic random search to identify the most effective ICL demonstrations. |
| Outcome: | The proposed method reduces attack success rate to nearly *0% while maintaining the model’s utility on benign tasks and incurring only *negligible* computational overhead. |
Shaping the Safety Boundaries: Understanding and Defending Against Jailbreaks in Large Language Models (2025.acl-long)
Copied to clipboard
| Challenge: | Understanding how jailbreaking works remains limited, hindering the development of effective defense strategies. |
| Approach: | They propose a new mechanism that adaptively constrains activations within the safety boundary and propose 'Activation Boundary Defense' to enhance its effectiveness. |
| Outcome: | The proposed defense achieves an average Defense Success Rate (DSR) of over 98% against various jailbreak attacks, with less than 2% impact on the model’s general capabilities. |