NegBLEURT Forest: Leveraging Inconsistencies for Detecting Jailbreak Attacks
Lama Sleem, Jerome Francois, Lujun Li, Nathan Foucher, Niccolo Gentile, Radu State
TL;DR
The paper tackles jailbreak attacks on LLMs and the brittleness of threshold-based defenses. It introduces NegBLEURT Forest, a threshold-free detector that blends a negation-aware semantic similarity (NegBLEURT) with a Refusal Semantic Domain (RSD) and Isolation Forest to identify anomalous outputs. Through curated perturbation experiments on JailbreakBench-derived data, the approach demonstrates strong, model-robust performance and outperforms several baselines. Limitations include dataset scope, the need for broader model validation, and computational cost, pointing to future work on efficiency and scalability.
Abstract
Jailbreak attacks designed to bypass safety mechanisms pose a serious threat by prompting LLMs to generate harmful or inappropriate content, despite alignment with ethical guidelines. Crafting universal filtering rules remains difficult due to their inherent dependence on specific contexts. To address these challenges without relying on threshold calibration or model fine-tuning, this work introduces a semantic consistency analysis between successful and unsuccessful responses, demonstrating that a negation-aware scoring approach captures meaningful patterns. Building on this insight, a novel detection framework called NegBLEURT Forest is proposed to evaluate the degree of alignment between outputs elicited by adversarial prompts and expected safe behaviors. It identifies anomalous responses using the Isolation Forest algorithm, enabling reliable jailbreak detection. Experimental results show that the proposed method consistently achieves top-tier performance, ranking first or second in accuracy across diverse models using the crafted dataset, while competing approaches exhibit notable sensitivity to model and data variations.