Table of Contents
Fetching ...

How Real is Your Jailbreak? Fine-grained Jailbreak Evaluation with Anchored Reference

Songyang Liu, Chaozhuo Li, Rui Pu, Litian Zhang, Chenxu Wang, Zejian Chen, Yuting Zhang, Yiming Hei

TL;DR

This work tackles the problem that automated jailbreak evaluations overstate attack success by focusing mainly on harmful content. It presents FJAR, a fine-grained jailbreak evaluation framework that uses anchored references constructed via harmless tree decomposition to guide a four-stage assessment of responses against a triplet framework $<q, a, r>$. The taxonomy of Rejective, Irrelevant, Unhelpful, Incorrect, and Successful enables diagnostic analysis of failure modes and root causes of jailbreak weaknesses. Empirical results across multiple open- and closed-source models show that FJAR aligns more closely with human judgments than baselines and provides actionable guidance for improving attack strategies, enhancing reliability and interpretability for safety researchers and developers.

Abstract

Jailbreak attacks present a significant challenge to the safety of Large Language Models (LLMs), yet current automated evaluation methods largely rely on coarse classifications that focus mainly on harmfulness, leading to substantial overestimation of attack success. To address this problem, we propose FJAR, a fine-grained jailbreak evaluation framework with anchored references. We first categorized jailbreak responses into five fine-grained categories: Rejective, Irrelevant, Unhelpful, Incorrect, and Successful, based on the degree to which the response addresses the malicious intent of the query. This categorization serves as the basis for FJAR. Then, we introduce a novel harmless tree decomposition approach to construct high-quality anchored references by breaking down the original queries. These references guide the evaluator in determining whether the response genuinely fulfills the original query. Extensive experiments demonstrate that FJAR achieves the highest alignment with human judgment and effectively identifies the root causes of jailbreak failures, providing actionable guidance for improving attack strategies.

How Real is Your Jailbreak? Fine-grained Jailbreak Evaluation with Anchored Reference

TL;DR

This work tackles the problem that automated jailbreak evaluations overstate attack success by focusing mainly on harmful content. It presents FJAR, a fine-grained jailbreak evaluation framework that uses anchored references constructed via harmless tree decomposition to guide a four-stage assessment of responses against a triplet framework . The taxonomy of Rejective, Irrelevant, Unhelpful, Incorrect, and Successful enables diagnostic analysis of failure modes and root causes of jailbreak weaknesses. Empirical results across multiple open- and closed-source models show that FJAR aligns more closely with human judgments than baselines and provides actionable guidance for improving attack strategies, enhancing reliability and interpretability for safety researchers and developers.

Abstract

Jailbreak attacks present a significant challenge to the safety of Large Language Models (LLMs), yet current automated evaluation methods largely rely on coarse classifications that focus mainly on harmfulness, leading to substantial overestimation of attack success. To address this problem, we propose FJAR, a fine-grained jailbreak evaluation framework with anchored references. We first categorized jailbreak responses into five fine-grained categories: Rejective, Irrelevant, Unhelpful, Incorrect, and Successful, based on the degree to which the response addresses the malicious intent of the query. This categorization serves as the basis for FJAR. Then, we introduce a novel harmless tree decomposition approach to construct high-quality anchored references by breaking down the original queries. These references guide the evaluator in determining whether the response genuinely fulfills the original query. Extensive experiments demonstrate that FJAR achieves the highest alignment with human judgment and effectively identifies the root causes of jailbreak failures, providing actionable guidance for improving attack strategies.
Paper Structure (22 sections, 3 figures, 3 tables, 1 algorithm)

This paper contains 22 sections, 3 figures, 3 tables, 1 algorithm.

Figures (3)

  • Figure 1: An illustration of the comparison between FJAR and other automated methods, with human judgment as the standard.
  • Figure 2: The framework of FJAR.
  • Figure 3: The normalized results of FJAR fine-grained taxonomy classification after excluding the "Successful" category.