NEXUS: Network Exploration for eXploiting Unsafe Sequences in Multi-Turn LLM Jailbreaks

TL;DR

The paper tackles the vulnerability of large language models to multi-turn jailbreaks by introducing NEXUS, a modular framework that systematically explores, refines, and executes optimized attack chains. It combines ThoughtNet, a semantic network that expands harmful goals into diverse topics and samples, with a feedback-driven Simulator and a Network Traverser for real-time attack execution. Across closed-source and open-weight LLMs, NEXUS achieves higher attack success rates, greater diversity of attack paths, and improved efficiency compared to state-of-the-art baselines. The work highlights the importance of semantically grounded space exploration and iterative refinement for robust adversarial testing, while acknowledging computational overhead and early-stage query limitations as areas for future defense-focused work.

Abstract

Large Language Models (LLMs) have revolutionized natural language processing but remain vulnerable to jailbreak attacks, especially multi-turn jailbreaks that distribute malicious intent across benign exchanges and bypass alignment mechanisms. Existing approaches often explore the adversarial space poorly, rely on hand-crafted heuristics, or lack systematic query refinement. We present NEXUS (Network Exploration for eXploiting Unsafe Sequences), a modular framework for constructing, refining, and executing optimized multi-turn attacks. NEXUS comprises: (1) ThoughtNet, which hierarchically expands a harmful intent into a structured semantic network of topics, entities, and query chains; (2) a feedback-driven Simulator that iteratively refines and prunes these chains through attacker-victim-judge LLM collaboration using harmfulness and semantic-similarity benchmarks; and (3) a Network Traverser that adaptively navigates the refined query space for real-time attacks. This pipeline uncovers stealthy, high-success adversarial paths across LLMs. On several closed-source and open-source LLMs, NEXUS increases attack success rate by 2.1% to 19.4% over prior methods. Code: https://github.com/inspire-lab/NEXUS

Figures (22)

• Figure 1: Illustration of a successful multi-turn jailbreak attack performed by NEXUS on both open-source and closed-source large language models (LLMs).
• Figure 2: Overview of the NEXUS framework in three phases. ThoughtNet expands the original harmful prompt $Q$ into a semantic network of topics $T_i$ and their contextual samples $S_{ij}$, producing a pool of candidate multi-turn query chains. Feedback-Driven Simulation then iteratively sends each query $q_t$ to the victim LLM, evaluates the response $r_t$ via a judge LLM for harmfulness and semantic alignment, and uses an attacker LLM to refine queries or prune low-potential branches based on thresholds. Finally, the Iterative Traverser executes the optimized chain in real time, rewriting any rejected query $q_t'$ until a successful jailbreak is achieved.
• Figure 3: Attack Success Rate comparison on GPT-4o across varying multi-turn attack budgets (2–5 queries) using the AdvBench dataset.
• Figure 4: Attack Diversity Across Victim LLMs. This plot shows the pairwise‐cosine–similarity diversity score of successful multi-turn jailbreaks on six target models (RACE, CoA, Crescendo, ActorAttack, and NEXUS). NEXUS consistently achieves the highest diversity demonstrating its ability to generate more varied attack strategies.
• Figure 5: Harmfulness Score Distribution. This histogram displays the judge‐assigned harmfulness scores (1=least to 5=most harmful) for each method’s successful attacks. NEXUS concentrates over 70% of its outputs in the top two bins (scores 4–5), while baselines like CoA and Crescendo produce a larger share of lower-score responses.