Jailbreaking LLMs via Semantically Relevant Nested Scenarios with Targeted Toxic Knowledge

TL;DR

The paper investigates jailbreak vulnerabilities in LLMs by focusing on semantically relevant nested scenarios that embed targeted toxic knowledge. It introduces RTS-Attack, a black-box framework that classifies harmful queries, generates adaptive nested scenarios via in-context learning, and customizes instructions to provoke harmful responses, all within three interaction rounds. Across six diverse LLMs, RTS-Attack achieves an average Harmfulness Score near 4.90 and an Attack Success Rate around 96.7%, while using only about 96 input tokens per attack, outperforming seven baselines. The work highlights the need for stronger alignment defenses and offers a universal framework for evaluating and advancing jailbreak research in real-world deployments.

Abstract

Large Language Models (LLMs) have demonstrated remarkable capabilities in various tasks. However, they remain exposed to jailbreak attacks, eliciting harmful responses. The nested scenario strategy has been increasingly adopted across various methods, demonstrating immense potential. Nevertheless, these methods are easily detectable due to their prominent malicious intentions. In this work, we are the first to find and systematically verify that LLMs' alignment defenses are not sensitive to nested scenarios, where these scenarios are highly semantically relevant to the queries and incorporate targeted toxic knowledge. This is a crucial yet insufficiently explored direction. Based on this, we propose RTS-Attack (Semantically Relevant Nested Scenarios with Targeted Toxic Knowledge), an adaptive and automated framework to examine LLMs' alignment. By building scenarios highly relevant to the queries and integrating targeted toxic knowledge, RTS-Attack bypasses the alignment defenses of LLMs. Moreover, the jailbreak prompts generated by RTS-Attack are free from harmful queries, leading to outstanding concealment. Extensive experiments demonstrate that RTS-Attack exhibits superior performance in both efficiency and universality compared to the baselines across diverse advanced LLMs, including GPT-4o, Llama3-70b, and Gemini-pro. Our complete code is available at https://github.com/nercode/Work. WARNING: THIS PAPER CONTAINS POTENTIALLY HARMFUL CONTENT.

Figures (8)

• Figure 1: A jailbreak example produced by RTS-Attack, which utilizes scenarios that embed targeted toxic knowledge (indicated by the underline) and closely resemble harmful queries. In contrast, existing methods, such as ReNeLLM, typically construct scenarios that lack these features
• Figure 2: There are three scenarios for each query: 1) N: none feature, 2) R: relevance feature, and 3) RT: both features, representing increasing levels of feature satisfaction. In addition, the Baseline (original template) does not include any scenarios. (a) Jailbreak success rate across jailbreak prompts with different scenarios. (b) Distribution of harmfulness scores in LLM responses. Higher scores indicate more harmful
• Figure 3: Nested Scenario Generator Prompt
• Figure 4: The overview of our framework RTS-Attack. The whole process is fully automated and adaptive, eliminating the need for manual intervention. LLM full response content omitted for brevity
• Figure 5: Query Classification and Intent Extraction Prompt