Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficient LLM Jailbreak via Adaptive Dense-to-sparse Constrained Optimization

Kai Hu, Weichen Yu, Yining Li, Kai Chen, Tianjun Yao, Xiang Li, Wenhe Liu, Lijun Yu, Zhiqiang Shen, Matt Fredrikson

TL;DR

This work addresses the vulnerability of LLMs to jailbreaks by recasting discrete token-level optimization as a continuous problem. It introduces Adaptive Dense-to-Sparse Constraint (ADC), which starts in a dense, continuous space $\mathbb{R}^V$ and progressively enforces sparsity to approach one-hot token representations, thereby reducing projection distortion and improving optimization efficiency. The method employs a momentum-based optimizer, avoids reparameterization tricks, and uses multiple initializations, with a two-stage ADC+ variant that incorporates a quick switch to a traditional token-level attack for added efficiency. Empirically, ADC achieves state-of-the-art attack performance on Harmbench (7 of 8 LLMs) and outperforms GCG on AdvBench across several models, while remaining robust against adversarially trained defenses; the work highlights both the persistence of token-level vulnerabilities under white-box conditions and the potential for transfer to black-box settings. Overall, ADC advances the speed and reliability of token-level jailbreaks and underscores the ongoing need for robust alignment and defenses against such adaptive attacks.

Abstract

Recent research indicates that large language models (LLMs) are susceptible to jailbreaking attacks that can generate harmful content. This paper introduces a novel token-level attack method, Adaptive Dense-to-Sparse Constrained Optimization (ADC), which has been shown to successfully jailbreak multiple open-source LLMs. Drawing inspiration from the difficulties of discrete token optimization, our method relaxes the discrete jailbreak optimization into a continuous optimization process while gradually increasing the sparsity of the optimizing vectors. This technique effectively bridges the gap between discrete and continuous space optimization. Experimental results demonstrate that our method is more effective and efficient than state-of-the-art token-level methods. On Harmbench, our approach achieves the highest attack success rate on seven out of eight LLMs compared to the latest jailbreak methods. Trigger Warning: This paper contains model behavior that can be offensive in nature.

Efficient LLM Jailbreak via Adaptive Dense-to-sparse Constrained Optimization

TL;DR

This work addresses the vulnerability of LLMs to jailbreaks by recasting discrete token-level optimization as a continuous problem. It introduces Adaptive Dense-to-Sparse Constraint (ADC), which starts in a dense, continuous space and progressively enforces sparsity to approach one-hot token representations, thereby reducing projection distortion and improving optimization efficiency. The method employs a momentum-based optimizer, avoids reparameterization tricks, and uses multiple initializations, with a two-stage ADC+ variant that incorporates a quick switch to a traditional token-level attack for added efficiency. Empirically, ADC achieves state-of-the-art attack performance on Harmbench (7 of 8 LLMs) and outperforms GCG on AdvBench across several models, while remaining robust against adversarially trained defenses; the work highlights both the persistence of token-level vulnerabilities under white-box conditions and the potential for transfer to black-box settings. Overall, ADC advances the speed and reliability of token-level jailbreaks and underscores the ongoing need for robust alignment and defenses against such adaptive attacks.

Abstract

Recent research indicates that large language models (LLMs) are susceptible to jailbreaking attacks that can generate harmful content. This paper introduces a novel token-level attack method, Adaptive Dense-to-Sparse Constrained Optimization (ADC), which has been shown to successfully jailbreak multiple open-source LLMs. Drawing inspiration from the difficulties of discrete token optimization, our method relaxes the discrete jailbreak optimization into a continuous optimization process while gradually increasing the sparsity of the optimizing vectors. This technique effectively bridges the gap between discrete and continuous space optimization. Experimental results demonstrate that our method is more effective and efficient than state-of-the-art token-level methods. On Harmbench, our approach achieves the highest attack success rate on seven out of eight LLMs compared to the latest jailbreak methods. Trigger Warning: This paper contains model behavior that can be offensive in nature.
Paper Structure (7 sections)

This paper contains 7 sections.

Table of Contents

  1. Introduction
  2. Related Work
  3. LLM alignment
  4. Automated jailbreaks
  5. Discrete token optimization
  6. Methodology
  7. Problem Setup