Challenge: Large Language Models (LLMs) are increasingly integrated into real-world applications, requiring a high level of safety and alignment.
Approach: They propose a multi-turn jailbreak method that leverages foot-in-the-door principles to escalate malicious intent of user queries through intermediate bridge prompts and aligns the model’s response by itself to induce toxic responses.
Outcome: The proposed method achieves an average attack success rate of 94% across seven widely used models outperforming existing state-of-the-art methods.

Similar Papers

One-Shot is Enough: Consolidating Multi-Turn Attacks into Efficient Single-Turn Prompts for LLMs (2025.acl-long)

Copied to clipboard

Challenge: a novel framework for consolidating multi-turn adversarial “jailbreak” prompts into single-turn queries is presented in a journal of computational linguistics.
Approach: They propose a framework for consolidating adversarial “jailbreak” prompts into single-turn queries.
Outcome: The proposed framework outperforms the original multi-turn attacks by up to 17.5 % in absolute ASR . it reduces token usage by more than half on average, and provides a powerful tool for large-scale red-teaming .
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)

Copied to clipboard

Challenge: Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks.
Approach: They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability.
Outcome: ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs.
A Wolf in Sheep’s Clothing: Generalized Nested Jailbreak Prompts can Fool Large Language Models Easily (2024.naacl-long)

Copied to clipboard

Challenge: Existing methods for generating 'jailbreaks' suffer from manual design or require optimization on other white-box models, which compromises either generalization or efficiency.
Approach: They propose a framework that leverages LLMs to generate effective jailbreak prompts and a generalized framework that can be used to generate prompts.
Outcome: The proposed framework improves the attack success rate while reducing the time cost compared to baselines.
Jailbreak LLMs through Internal Stance Manipulation (2025.emnlp-main)

Copied to clipboard

Challenge: Existing approaches to exploit LLMs' inherent safety mechanism, including GCG and AutoDAN, are ineffective for certain malicious requests.
Approach: They propose a method that generates jailbreak prompts to suppress a refusal stance and induce affirmative responses by modifying adversarial prompts.
Outcome: The proposed method outperforms the best baseline approach in Llama-2-7b-chat and achieves a 92.2% success rate across all models.
Diversity Helps Jailbreak Large Language Models (2025.naacl-long)

Copied to clipboard

Challenge: Existing methods for jailbreaking large language models rely on laborious human engineering and whitebox access to model internals.
Approach: They propose a method that instructs large language models to deviate from prior context and generate harmful outputs by instructing them to deviat from previous attacks.
Outcome: The proposed method achieves a 62.83% higher success rate in compromising ten leading chatbots, while using only 12.9% of the queries.
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)

Copied to clipboard

Challenge: Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries .
Approach: They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area.
Outcome: The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%.
Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In (2025.findings-naacl)

Copied to clipboard

Challenge: Indirect prompt injection attacks, prompted by harmless and unrelated requests, can significantly increase the likelihood of the agent performing subsequent malicious actions.
Approach: They propose to implement a simple reflection mechanism that prompts the agent to reassess the safety of its actions during execution, which can help mitigate this vulnerability.
Outcome: The proposed method reduces the success of such attacks by prompting the agent to reassess its actions during execution.
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)

Copied to clipboard

Challenge: Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models.
Approach: They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints.
Outcome: The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks.
Intention Analysis Makes LLMs A Good Jailbreak Defender (2025.coling-main)

Copied to clipboard

Challenge: Existing methods to align large language models with human values overlook the intrinsic nature of jailbreaks, which limits their effectiveness in complex scenarios.
Approach: They propose a simple yet highly effective defense strategy, i.e., Intention Analysis (IA). They show that IA suppresses LLM’s tendency to follow jailbreak prompts, thereby enhancing safety.
Outcome: The proposed strategy reduces harmfulness of LLMs and outperforms GPT-3.5 in attack success rate.
Tricking LLMs into Disobedience: Formalizing, Analyzing, and Detecting Jailbreaks (2024.lrec-main)

Copied to clipboard

Challenge: Existing methods to jailbreak large language models have been poorly studied . a recent study showed that non-expert users can jailbreak LLMs by manipulating their prompts .
Approach: They propose a formalism and a taxonomy of known (and possible) jailbreaks . they propose generating a dataset of model outputs across 3700 jailbreak prompts a 'prompt' attack is a new attack popularly categorized as "prompting injection attacks"
Outcome: The proposed model exploits 3700 jailbreak prompts over 4 tasks to analyze their effectiveness . authors show that the model can learn to perform a new task on unseen examples .

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations