Table of Contents
Fetching ...

RvB: Automating AI System Hardening via Iterative Red-Blue Games

Lige Huang, Zicheng Liu, Jie Zhang, Lewen Yan, Dongrui Liu, Jing Shao

TL;DR

The paper introduces the Red Team vs Blue Team (RvB) framework, a training-free, sequential, imperfect-information game that drives dynamic AI system hardening through iterative red-blue interactions in an environment with externalized memory. By formalizing belief updates and decision-making around Bayesian evidence from remediation, the approach achieves progressively stronger defenses without parameter updates, and demonstrates strong defense performance and generalization across cyber security code hardening and jailbreak guardrail tasks. Key contributions include a formal model with information-theoretic analysis, rigorous experimentation showing Defense Success Rates of up to 90% (cyber) and 45% (content) with near-zero false positives, and evidence of cost-efficiency via targeted adversarial feedback. The results suggest that subjecting AI systems to adversarial pressure within a structured game-theoretic framework yields robust, generalizable hardening suitable for practical deployment and scalable to future security challenges.

Abstract

The dual offensive and defensive utility of Large Language Models (LLMs) highlights a critical gap in AI security: the lack of unified frameworks for dynamic, iterative adversarial adaptation hardening. To bridge this gap, we propose the Red Team vs. Blue Team (RvB) framework, formulated as a training-free, sequential, imperfect-information game. In this process, the Red Team exposes vulnerabilities, driving the Blue Team to learning effective solutions without parameter updates. We validate our framework across two challenging domains: dynamic code hardening against CVEs and guardrail optimization against jailbreaks. Our empirical results show that this interaction compels the Blue Team to learn fundamental defensive principles, leading to robust remediations that are not merely overfitted to specific exploits. RvB achieves Defense Success Rates of 90\% and 45\% across the respective tasks while maintaining near 0\% False Positive Rates, significantly surpassing baselines. This work establishes the iterative adversarial interaction framework as a practical paradigm that automates the continuous hardening of AI systems.

RvB: Automating AI System Hardening via Iterative Red-Blue Games

TL;DR

The paper introduces the Red Team vs Blue Team (RvB) framework, a training-free, sequential, imperfect-information game that drives dynamic AI system hardening through iterative red-blue interactions in an environment with externalized memory. By formalizing belief updates and decision-making around Bayesian evidence from remediation, the approach achieves progressively stronger defenses without parameter updates, and demonstrates strong defense performance and generalization across cyber security code hardening and jailbreak guardrail tasks. Key contributions include a formal model with information-theoretic analysis, rigorous experimentation showing Defense Success Rates of up to 90% (cyber) and 45% (content) with near-zero false positives, and evidence of cost-efficiency via targeted adversarial feedback. The results suggest that subjecting AI systems to adversarial pressure within a structured game-theoretic framework yields robust, generalizable hardening suitable for practical deployment and scalable to future security challenges.

Abstract

The dual offensive and defensive utility of Large Language Models (LLMs) highlights a critical gap in AI security: the lack of unified frameworks for dynamic, iterative adversarial adaptation hardening. To bridge this gap, we propose the Red Team vs. Blue Team (RvB) framework, formulated as a training-free, sequential, imperfect-information game. In this process, the Red Team exposes vulnerabilities, driving the Blue Team to learning effective solutions without parameter updates. We validate our framework across two challenging domains: dynamic code hardening against CVEs and guardrail optimization against jailbreaks. Our empirical results show that this interaction compels the Blue Team to learn fundamental defensive principles, leading to robust remediations that are not merely overfitted to specific exploits. RvB achieves Defense Success Rates of 90\% and 45\% across the respective tasks while maintaining near 0\% False Positive Rates, significantly surpassing baselines. This work establishes the iterative adversarial interaction framework as a practical paradigm that automates the continuous hardening of AI systems.
Paper Structure (48 sections, 8 equations, 11 figures, 3 tables)

This paper contains 48 sections, 8 equations, 11 figures, 3 tables.

Figures (11)

  • Figure 1: The Red vs. Blue (RvB) framework across successive states ($S_1 \rightarrow S_N$). The Attack Complexity (AC) represents the escalating sophistication and specificity of exploits required to bypass the hardening environment as epistemic uncertainty decreases. The Defense Success Rate (DSR) measures the Blue Team's growing efficacy in neutralizing vulnerabilities through iterative fixes.
  • Figure 2: Overview of the RvB Framework. Modeled as a sequential, imperfect-information game, the process drives system hardening ($S_1 \to S_N$) through iterative adversarial interactions. The environment acts as an externalized memory, necessitating the iterative adversarial adaptation of agent strategies without requiring internal model parameter updates.
  • Figure 3: Overview of the iterative Red-Blue adversarial loop. At each state $t$, the Red Team probes the environment (1) to generate a vulnerability report (2). The Blue Team utilizes this report to apply a patch (3), updating the system to state $t+1$ (4). A final verification (5) confirms if the vulnerability is mitigated.
  • Figure 4: Performance trajectory of the Red and Blue agents across 5 iterations. The bar chart (left axis) represents the cumulative count of successful exploits discovered by the Red Team, while the line graph (right axis) tracks the Blue Team's Defense Success Rate (DSR). The convergence toward a high DSR alongside sustained attack intensity validates the framework's effectiveness in automated security hardening.
  • Figure 5: Comparative analysis of defense robustness between the Baseline and RvB frameworks. The solid lines track the True Defense Success Rate (TDSR), representing valid fixes, while the dashed lines indicate the Fake Defense Success Rate (FDSR). The purple line highlights the significant Service Disruption Rate (SDR) in the Baseline, caused by destructive patches. In contrast, the RvB framework (brown line) maintains a near-zero SDR, demonstrating that adversarial feedback ensures high-quality remediation without compromising service availability.
  • ...and 6 more figures