QueryAttack: Jailbreaking Aligned Large Language Models Using Structured Non-natural Query Language (2025.findings-acl)
Copied to clipboard
Qingsong Zou, Jingyu Xiao, Qing Li, Zhi Yan, Yuhang Wang, Li Xu, Wenxuan Wang, Kuofeng Gao, Ruoyu Li, Yong Jiang
| Challenge: | Existing methods to bypass security defenses of large language models (LLMs) are not effective, but QueryAttack can be jailbroken. |
| Approach: | They propose a framework to examine generalizability of safety alignment by translating malicious queries into structured non-natural query languages. |
| Outcome: | The proposed framework can achieve high attack success rates and jailbreak various defense methods on mainstream LLMs. |
Similar Papers
SafeInt: Shielding Large Language Models from Jailbreak Attacks via Safety-Aware Representation Intervention (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Jailbreak attacks exploit vulnerabilities in large language models to induce undesirable behavior . existing defenses cannot dynamically adjust representations based on harmfulness of queries . |
| Approach: | They propose a representation-aware representation method that shields LLMs from jailbreak attacks . SafeInt relocates jailbreak-related representations into the rejection region . |
| Outcome: | The proposed method outperforms baseline defenses while maintaining utility . it relocates jailbreak-related representations into the rejection region . |
CodeAttack: Revealing Safety Generalization Challenges of Large Language Models via Code Completion (2024.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models exhibit remarkable generative capabilities but can be misused for harmful purposes. |
| Approach: | They propose a framework that transforms natural language inputs into code inputs. |
| Outcome: | The proposed framework bypasses the safety guardrails of all models more than 80% of the time. |
CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing studies have isolated LLM jailbreak attacks and defenses . a new framework combines attack and defense to protect against malicious queries . |
| Approach: | They propose a framework that combines attack and defense to protect the Large Language Model (LLM) by embedding harmful problems into the safe area. |
| Outcome: | The proposed framework achieves an average jailbreak success rate of 88.85% across three popular LLMs while the defense success rate reaches an average of 84.17%. |
Revisiting Jailbreaking for Large Language Models: A Representation Engineering Perspective (2025.coling-main)
Copied to clipboard
Tianlong Li, Zhenghua Wang, Wenhao Liu, Muling Wu, Shihan Dou, Changze Lv, Xiaohua Wang, Xiaoqing Zheng, Xuanjing Huang
| Challenge: | Recent surge in jailbreaking attacks has revealed significant vulnerabilities in Large Language Models (LLMs) however, limited research into the underlying mechanisms that make LLMs vulnerable to such attacks has been conducted. |
| Approach: | They propose that LLMs' self-safeguarding capability is linked to specific activity patterns within their representation space. |
| Outcome: | The proposed models can be detected with a few pairs of contrastive queries, and the robustness can be manipulated by weakening or strengthening these patterns. |
Defending Against Alignment-Breaking Attacks via Robustly Aligned LLM (2024.acl-long)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have made significant advancements but can be misused to generate harmful content. |
| Approach: | They propose a Robustly Aligned LLM to defend against alignment-breaking attacks by retraining existing LLMs and using adversarial or handcrafted jailbreaking prompts. |
| Outcome: | The proposed model reduces attack success rates from nearly 100% to around 10% or less. |
A Comprehensive Study of Jailbreak Attack versus Defense for Large Language Models (2024.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated capabilities for generating content that could be deemed harmful. |
| Approach: | They conduct a comprehensive analysis of existing studies on jailbreaking LLMs and their defense techniques. |
| Outcome: | The proposed techniques underperform existing white-box attacks and include special tokens significantly affects the likelihood of successful attacks. |
SQL Injection Jailbreak: A Structural Disaster of Large Language Models (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing methods to jailbreak Large Language Models (LLMs) exploited internal properties or capabilities of the model, such as optimization-based jailbreak methods and methods that leveraged the model’s context-learning abilities. |
| Approach: | They propose a new method which injects jailbreak information into user prompts and induces the model to generate harmful content. |
| Outcome: | The proposed method achieves near 100% success rates on open-source models while incurring lower time costs compared to previous methods. |
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models. |
| Approach: | They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints. |
| Outcome: | The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks. |
How Alignment and Jailbreak Work: Explain LLM Safety through Intermediate Hidden States (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Large language models (LLMs) rely on safety alignment to avoid malicious user inputs. |
| Approach: | They employ weak classifiers to explain LLM safety through the intermediate hidden states. |
| Outcome: | The proposed model can identify malicious and normal inputs and detect malicious ones without jailbreak. |
DrAttack: Prompt Decomposition and Reconstruction Makes Powerful LLMs Jailbreakers (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Existing jailbreaking methods view a malicious prompt as a whole but they are not effective at reducing LLMs’ attention on combinations of words with malice. |
| Approach: | They propose an automatic prompt Decomposition and Reconstruction framework for jailbreaking Attack that decomposes a malicious prompt into separate sub-prompts and reassembles them implicitly by In-Context Learning. |
| Outcome: | The proposed framework reduces LLMs' attention on malice words by presenting them to LLM in a fragmented form, addressing these limitations and improving attack effectiveness. |