Challenge: Existing methods for evaluating large language models face two limitations: they explore homogeneous transformations in isolation and rely on brittle judgment metrics that misclassify non-refusal hallucinations as successful attacks.
Approach: They propose a framework that generates compositional jailbreak attacks via judgment-driven search over heterogeneous strategies.
Outcome: The proposed framework generates compositional jailbreak attacks over heterogeneous strategies . strongREJECT++ improves attack success rates and transferability compared to state-of-the-art .

Similar Papers

Tricking LLMs into Disobedience: Formalizing, Analyzing, and Detecting Jailbreaks (2024.lrec-main)

Copied to clipboard

Challenge: Existing methods to jailbreak large language models have been poorly studied . a recent study showed that non-expert users can jailbreak LLMs by manipulating their prompts .
Approach: They propose a formalism and a taxonomy of known (and possible) jailbreaks . they propose generating a dataset of model outputs across 3700 jailbreak prompts a 'prompt' attack is a new attack popularly categorized as "prompting injection attacks"
Outcome: The proposed model exploits 3700 jailbreak prompts over 4 tasks to analyze their effectiveness . authors show that the model can learn to perform a new task on unseen examples .
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)

Copied to clipboard

Challenge: Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models.
Approach: They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints.
Outcome: The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks.
Breaking the Ceiling: Exploring the Potential of Jailbreak Attacks through Expanding Strategy Space (2025.findings-acl)

Copied to clipboard

Challenge: Existing methods to exploit black-box jailbreaks fail to capture key attack patterns . a novel framework decomposes jailbreak strategies into essential components .
Approach: They propose a framework that decomposes jailbreak strategies into essential components and develops genetic-based optimization with intention evaluation mechanisms.
Outcome: The proposed framework achieves 90% success rate on Claude-3.5, where prior methods completely fail . it also surpasses specialized safeguard models in evaluation accuracy .
Diversity Helps Jailbreak Large Language Models (2025.naacl-long)

Copied to clipboard

Challenge: Existing methods for jailbreaking large language models rely on laborious human engineering and whitebox access to model internals.
Approach: They propose a method that instructs large language models to deviate from prior context and generate harmful outputs by instructing them to deviat from previous attacks.
Outcome: The proposed method achieves a 62.83% higher success rate in compromising ten leading chatbots, while using only 12.9% of the queries.
From Attack Surfaces to Actual Operations: A Survey of Modern LLM Jailbreaks (2026.findings-acl)

Copied to clipboard

Challenge: Existing taxonomies focus on manipulation methods rather than underlying mechanisms, limiting our understanding of attack effectiveness and defensive strategies.
Approach: They propose a two-fold taxonomy to categorize attacks across three tiers based on exploited vulnerabilities and approaches and an operational taxonomies to evaluate attacks across four dimensions.
Outcome: The proposed taxonomy categorizes attacks across three tiers based on exploited vulnerabilities and approaches and evaluates attacks on four dimensions to assess real-world feasibility and sustainability.
Defending Large Language Models Against Jailbreaking Attacks Through Goal Prioritization (2024.acl-long)

Copied to clipboard

Challenge: Despite the success of jailbreaking attacks, there is a lack of effort in defending against them.
Approach: They propose to integrate goal prioritization at both training and inference stages to counteract this conflict between the goals of being helpful and ensuring safety.
Outcome: The proposed approach reduces the Attack Success Rate (ASR) of jailbreaking from 66.4% to 3.6% for ChatGPT and reduces it from 71.0% to 6.6% for Llama2-13B.
AutoBreach: Universal and Adaptive Jailbreaking with Efficient Wordplay-Guided Optimization via Multi-LLMs (2025.findings-naacl)

Copied to clipboard

Challenge: Existing jailbreak research exhibits limitations in universality, validity, and efficiency . Existing methods for jailbreaking LLMs have limited validity and effectiveness .
Approach: They propose a black-box approach that uses wordplay-guided mapping rule sampling to create universal adversarial prompts.
Outcome: The proposed method efficiently identifies security vulnerabilities across various LLMs, achieving an average success rate of over 80% with fewer than 10 queries.
How Jailbreak Defenses Work and Ensemble? A Mechanistic Investigation (2025.findings-emnlp)

Copied to clipboard

Challenge: Jailbreak attacks, where harmful prompts bypass generative models’ built-in safety, raise serious concerns about model vulnerability.
Approach: They propose to reframe the standard generation task as a binary classification problem to assess model refusal tendencies for both harmful and benign queries.
Outcome: The proposed defenses improve model safety or optimize the trade-off between safety and helpfulness.
Towards Understanding Jailbreak Attacks in LLMs: A Representation Space Analysis (2024.emnlp-main)

Copied to clipboard

Challenge: Large language models (LLMs) are susceptible to a type of attack known as jailbreaking, which misleads LLMs to output harmful contents.
Approach: They propose to leverage hidden representations into existing jailbreak targets to move the attacks along the acceptance direction.
Outcome: The proposed methods are validated using the objective of existing jailbreak attacks.
Experience-Driven Multi-Agent Optimization for Black-Box Jailbreak Attacks on Large Language Models (2026.findings-acl)

Copied to clipboard

Challenge: Existing methods for jailbreak have poor transferability and high sensitivity to preprocessing . EMJO provides an effective and scalable paradigm for systematic jailbreak optimization .
Approach: They propose a model that couples agents into a closed-loop "probe–evaluate–revise” process . they propose EMJO, which can be query-efficient and transferable, under black-box access.
Outcome: a new approach outperforms existing jailbreak baselines on diverse LLMs . it achieves up to 11% improvement in attack success rate while reducing query cost .

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations