Jailbreaking Attacks vs. Content Safety Filters: How Far Are We in the LLM Safety Arms Race?
Yuan Xin, Dingfan Chen, Linyi Yang, Michael Backes, Xiao Zhang
TL;DR
This paper investigates whether content safety filters can effectively block jailbreak attacks in LLM deployment pipelines, beyond model-level defenses. It formalizes a measurement framework that combines an LLM, a harm-detection judge, and various safety filters, and evaluates a curated dataset of 417 harmful prompts with benign counterparts across 10 categories on multiple open-weight and commercial LLMs using 10 jailbreak techniques. The key findings show that safety filters substantially reduce attack success in practice, with input-stage detectors often achieving high recall and overall pass rates typically under 5%, though there is a notable trade-off with false positives and usability. The work highlights variations in detector performance across models and attack types, demonstrates the practicality of system-level defenses, and calls for ongoing refinement of detection accuracy, efficiency, and broader, community-driven benchmarking to strengthen LLM safety in real-world deployments.
Abstract
As large language models (LLMs) are increasingly deployed, ensuring their safe use is paramount. Jailbreaking, adversarial prompts that bypass model alignment to trigger harmful outputs, present significant risks, with existing studies reporting high success rates in evading common LLMs. However, previous evaluations have focused solely on the models, neglecting the full deployment pipeline, which typically incorporates additional safety mechanisms like content moderation filters. To address this gap, we present the first systematic evaluation of jailbreak attacks targeting LLM safety alignment, assessing their success across the full inference pipeline, including both input and output filtering stages. Our findings yield two key insights: first, nearly all evaluated jailbreak techniques can be detected by at least one safety filter, suggesting that prior assessments may have overestimated the practical success of these attacks; second, while safety filters are effective in detection, there remains room to better balance recall and precision to further optimize protection and user experience. We highlight critical gaps and call for further refinement of detection accuracy and usability in LLM safety systems.
