Table of Contents
Fetching ...

Multi-Turn Jailbreaking of Aligned LLMs via Lexical Anchor Tree Search

Devang Kulshreshtha, Hang Su, Chinmay Hegde, Haohan Wang

TL;DR

This work introduces Lexical Anchor Tree Search (LATS), a black-box, attacker-LLM-free method that reframes jailbreaking as a breadth-first search over multi-turn dialogues guided by lexical anchors. By incrementally injecting missing anchor words and expanding along promising paraphrase paths, LATS achieves high attack success rates with a minimal query budget, outperforming both single-turn and prior multi-turn baselines across nine LLMs on AdvBench and HarmBench. The approach reveals that conversational structure is an under-defended attack surface, and it remains robust against common defenses like ICD, PromptGuard, and Goal Prioritization, while maintaining efficiency. The authors provide extensive experimental evidence of LATS’s effectiveness and offer open-source code to support reproducibility and further defense research.

Abstract

Most jailbreak methods achieve high attack success rates (ASR) but require attacker LLMs to craft adversarial queries and/or demand high query budgets. These resource limitations make jailbreaking expensive, and the queries generated by attacker LLMs often consist of non-interpretable random prefixes. This paper introduces Lexical Anchor Tree Search (), addressing these limitations through an attacker-LLM-free method that operates purely via lexical anchor injection. LATS reformulates jailbreaking as a breadth-first tree search over multi-turn dialogues, where each node incrementally injects missing content words from the attack goal into benign prompts. Evaluations on AdvBench and HarmBench demonstrate that LATS achieves 97-100% ASR on latest GPT, Claude, and Llama models with an average of only ~6.4 queries, compared to 20+ queries required by other methods. These results highlight conversational structure as a potent and under-protected attack surface, while demonstrating superior query efficiency in an era where high ASR is readily achievable. Our code will be released to support reproducibility.

Multi-Turn Jailbreaking of Aligned LLMs via Lexical Anchor Tree Search

TL;DR

This work introduces Lexical Anchor Tree Search (LATS), a black-box, attacker-LLM-free method that reframes jailbreaking as a breadth-first search over multi-turn dialogues guided by lexical anchors. By incrementally injecting missing anchor words and expanding along promising paraphrase paths, LATS achieves high attack success rates with a minimal query budget, outperforming both single-turn and prior multi-turn baselines across nine LLMs on AdvBench and HarmBench. The approach reveals that conversational structure is an under-defended attack surface, and it remains robust against common defenses like ICD, PromptGuard, and Goal Prioritization, while maintaining efficiency. The authors provide extensive experimental evidence of LATS’s effectiveness and offer open-source code to support reproducibility and further defense research.

Abstract

Most jailbreak methods achieve high attack success rates (ASR) but require attacker LLMs to craft adversarial queries and/or demand high query budgets. These resource limitations make jailbreaking expensive, and the queries generated by attacker LLMs often consist of non-interpretable random prefixes. This paper introduces Lexical Anchor Tree Search (), addressing these limitations through an attacker-LLM-free method that operates purely via lexical anchor injection. LATS reformulates jailbreaking as a breadth-first tree search over multi-turn dialogues, where each node incrementally injects missing content words from the attack goal into benign prompts. Evaluations on AdvBench and HarmBench demonstrate that LATS achieves 97-100% ASR on latest GPT, Claude, and Llama models with an average of only ~6.4 queries, compared to 20+ queries required by other methods. These results highlight conversational structure as a potent and under-protected attack surface, while demonstrating superior query efficiency in an era where high ASR is readily achievable. Our code will be released to support reproducibility.
Paper Structure (35 sections, 1 equation, 7 figures, 4 tables, 1 algorithm)

This paper contains 35 sections, 1 equation, 7 figures, 4 tables, 1 algorithm.

Figures (7)

  • Figure 1: Overview of LATS. Starting from a heterogeneous seed pool, the attacker (1) inspects whether any existing pair already breaks the policy, (2) ranks candidates by semantic proximity to the malicious goal, and if needed (3) expands the search tree by injecting missing anchor words.
  • Figure 2: Illustration of Lexically-Anchored Tree Search (LATS). A breadth-first queue pops nodes, checks top-$k$ completions for a jailbreak match, and—if unsuccessful—spawns child nodes by injecting anchor words. The process halts on the first successful leaf or when depth $D_{\max}$ is reached.
  • Figure 3: Query efficiency comparison across jailbreak methods on AdvBench dataset. LATS achieves the lowest average query count while maintaining high ASR, demonstrating superior query efficiency.
  • Figure 4: Attack-success rate (ASR) versus conversation depth for various models on AdvBench dataset. All depths use branching factor $k=3$ and retries $R_{retry}=2$.
  • Figure 5: Attack-success rate (ASR) versus branching factor (number of children per node) for various models on AdvBench dataset. All points use tree depth $d=3$ and retries $R_{retry}=2$.
  • ...and 2 more figures