Chimera: Compositional Jailbreak Attacks on LLMs via Judgment-Driven Search over Heterogeneous Strategies (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing methods for evaluating large language models face two limitations: they explore homogeneous transformations in isolation and rely on brittle judgment metrics that misclassify non-refusal hallucinations as successful attacks. |
| Approach: | They propose a framework that generates compositional jailbreak attacks via judgment-driven search over heterogeneous strategies. |
| Outcome: | The proposed framework generates compositional jailbreak attacks over heterogeneous strategies . strongREJECT++ improves attack success rates and transferability compared to state-of-the-art . |
Similar Papers
Tricking LLMs into Disobedience: Formalizing, Analyzing, and Detecting Jailbreaks (2024.lrec-main)
Copied to clipboard
| Challenge: | Existing methods to jailbreak large language models have been poorly studied . a recent study showed that non-expert users can jailbreak LLMs by manipulating their prompts . |
| Approach: | They propose a formalism and a taxonomy of known (and possible) jailbreaks . they propose generating a dataset of model outputs across 3700 jailbreak prompts a 'prompt' attack is a new attack popularly categorized as "prompting injection attacks" |
| Outcome: | The proposed model exploits 3700 jailbreak prompts over 4 tasks to analyze their effectiveness . authors show that the model can learn to perform a new task on unseen examples . |
Exploring Jailbreak Attacks on LLMs through Intent Concealment and Diversion (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing jailbreak methods face an excessive number of iterative queries and poor generalization across models. |
| Approach: | They propose a jailbreak method that employs **I**ntent **C**oncealment and div**E**rsion to circumvent security constraints. |
| Outcome: | The proposed method outperforms existing jailbreak techniques in question-answering and text-generation tasks. |
Breaking the Ceiling: Exploring the Potential of Jailbreak Attacks through Expanding Strategy Space (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing methods to exploit black-box jailbreaks fail to capture key attack patterns . a novel framework decomposes jailbreak strategies into essential components . |
| Approach: | They propose a framework that decomposes jailbreak strategies into essential components and develops genetic-based optimization with intention evaluation mechanisms. |
| Outcome: | The proposed framework achieves 90% success rate on Claude-3.5, where prior methods completely fail . it also surpasses specialized safeguard models in evaluation accuracy . |
Diversity Helps Jailbreak Large Language Models (2025.naacl-long)
Copied to clipboard
| Challenge: | Existing methods for jailbreaking large language models rely on laborious human engineering and whitebox access to model internals. |
| Approach: | They propose a method that instructs large language models to deviate from prior context and generate harmful outputs by instructing them to deviat from previous attacks. |
| Outcome: | The proposed method achieves a 62.83% higher success rate in compromising ten leading chatbots, while using only 12.9% of the queries. |
From Attack Surfaces to Actual Operations: A Survey of Modern LLM Jailbreaks (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing taxonomies focus on manipulation methods rather than underlying mechanisms, limiting our understanding of attack effectiveness and defensive strategies. |
| Approach: | They propose a two-fold taxonomy to categorize attacks across three tiers based on exploited vulnerabilities and approaches and an operational taxonomies to evaluate attacks across four dimensions. |
| Outcome: | The proposed taxonomy categorizes attacks across three tiers based on exploited vulnerabilities and approaches and evaluates attacks on four dimensions to assess real-world feasibility and sustainability. |
Defending Large Language Models Against Jailbreaking Attacks Through Goal Prioritization (2024.acl-long)
Copied to clipboard
| Challenge: | Despite the success of jailbreaking attacks, there is a lack of effort in defending against them. |
| Approach: | They propose to integrate goal prioritization at both training and inference stages to counteract this conflict between the goals of being helpful and ensuring safety. |
| Outcome: | The proposed approach reduces the Attack Success Rate (ASR) of jailbreaking from 66.4% to 3.6% for ChatGPT and reduces it from 71.0% to 6.6% for Llama2-13B. |
AutoBreach: Universal and Adaptive Jailbreaking with Efficient Wordplay-Guided Optimization via Multi-LLMs (2025.findings-naacl)
Copied to clipboard
| Challenge: | Existing jailbreak research exhibits limitations in universality, validity, and efficiency . Existing methods for jailbreaking LLMs have limited validity and effectiveness . |
| Approach: | They propose a black-box approach that uses wordplay-guided mapping rule sampling to create universal adversarial prompts. |
| Outcome: | The proposed method efficiently identifies security vulnerabilities across various LLMs, achieving an average success rate of over 80% with fewer than 10 queries. |
How Jailbreak Defenses Work and Ensemble? A Mechanistic Investigation (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Jailbreak attacks, where harmful prompts bypass generative models’ built-in safety, raise serious concerns about model vulnerability. |
| Approach: | They propose to reframe the standard generation task as a binary classification problem to assess model refusal tendencies for both harmful and benign queries. |
| Outcome: | The proposed defenses improve model safety or optimize the trade-off between safety and helpfulness. |
Towards Understanding Jailbreak Attacks in LLMs: A Representation Space Analysis (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large language models (LLMs) are susceptible to a type of attack known as jailbreaking, which misleads LLMs to output harmful contents. |
| Approach: | They propose to leverage hidden representations into existing jailbreak targets to move the attacks along the acceptance direction. |
| Outcome: | The proposed methods are validated using the objective of existing jailbreak attacks. |
Experience-Driven Multi-Agent Optimization for Black-Box Jailbreak Attacks on Large Language Models (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing methods for jailbreak have poor transferability and high sensitivity to preprocessing . EMJO provides an effective and scalable paradigm for systematic jailbreak optimization . |
| Approach: | They propose a model that couples agents into a closed-loop "probe–evaluate–revise” process . they propose EMJO, which can be query-efficient and transferable, under black-box access. |
| Outcome: | a new approach outperforms existing jailbreak baselines on diverse LLMs . it achieves up to 11% improvement in attack success rate while reducing query cost . |