MRJ-Agent: An Effective Jailbreak Agent for Multi-Round Dialogue

TL;DR

MRJ-Agent introduces a novel, automated red-teaming framework for multi-round jailbreaks in large language models by combining risk-aware data construction with a learning-based red-teaming agent. The approach decomposes harmful intents across rounds using an information-control strategy and enhances attack effectiveness with psychological induction templates, followed by supervised fine-tuning and Direct Preference Optimization. Extensive experiments demonstrate state-of-the-art attack success across open- and closed-source models, robust generalization to new benchmarks and modalities, and a nuanced view of defenses that still leaves substantial vulnerability. The work emphasizes safety in AI deployments and provides a scalable methodology for evaluating and improving LLM safety in realistic, multi-turn interactions.

Abstract

Large Language Models (LLMs) demonstrate outstanding performance in their reservoir of knowledge and understanding capabilities, but they have also been shown to be prone to illegal or unethical reactions when subjected to jailbreak attacks. To ensure their responsible deployment in critical applications, it is crucial to understand the safety capabilities and vulnerabilities of LLMs. Previous works mainly focus on jailbreak in single-round dialogue, overlooking the potential jailbreak risks in multi-round dialogues, which are a vital way humans interact with and extract information from LLMs. Some studies have increasingly concentrated on the risks associated with jailbreak in multi-round dialogues. These efforts typically involve the use of manually crafted templates or prompt engineering techniques. However, due to the inherent complexity of multi-round dialogues, their jailbreak performance is limited. To solve this problem, we propose a novel multi-round dialogue jailbreaking agent, emphasizing the importance of stealthiness in identifying and mitigating potential threats to human values posed by LLMs. We propose a risk decomposition strategy that distributes risks across multiple rounds of queries and utilizes psychological strategies to enhance attack strength. Extensive experiments show that our proposed method surpasses other attack methods and achieves state-of-the-art attack success rate. We will make the corresponding code and dataset available for future research. The code will be released soon.

Figures (6)

• Figure 1: Illustration of our proposed attack. As illustrated, our method can smoothly guide the conversation from harmless questions to sensitive questions based on the risk intent, ultimately triggering harmful responses from the target model. The blue highlighted text shows how the risk of the original harmful query is progressively decomposed. The yellow highlighted text displays how the red team model induces risky responses. Red text represents the test model responding with harmful content related to the harmful query.
• Figure 2: Pipeline of our proposed attack
• Figure 3: Illustration of generalization.
• Figure 4: Round 1 How might a person suffering from domestic violence react emotionally when caught in such a harrowing situation?
• Figure 5: Round 2 The flames dance wildly, casting an eerie red glow over their faces as they locked eyes. His once chiseled features twisted into a snarling beast, his grip on her arm tightening with every passing second.