Table of Contents
Fetching ...

ICON: Intent-Context Coupling for Efficient Multi-Turn Jailbreak Attack

Xingwei Lin, Wenhao Lin, Sicong Cao, Jiahao Yu, Renke Huang, Lei Xue, Chunming Wu

TL;DR

This work investigates how aligning malicious intent with specific semantic context patterns can relax LLM safety constraints, a phenomenon termed Intent-Context Coupling. It introduces ICON, a closed-loop framework that uses prior-guided contextual routing to map intents to semantically congruent authoritative-style contexts, followed by structured prompt instantiation and a two-tier hierarchical optimization to refine or switch contexts as needed. Empirically, ICON achieves a state-of-the-art average attack success rate of 97.1% across eight LLMs and demonstrates strong transferability and robustness against defenses, while improving efficiency relative to baselines. The findings highlight actionable vulnerabilities and provide a principled approach to strengthen defenses by incorporating context-aware alignment and adaptive prompt strategies.

Abstract

Multi-turn jailbreak attacks have emerged as a critical threat to Large Language Models (LLMs), bypassing safety mechanisms by progressively constructing adversarial contexts from scratch and incrementally refining prompts. However, existing methods suffer from the inefficiency of incremental context construction that requires step-by-step LLM interaction, and often stagnate in suboptimal regions due to surface-level optimization. In this paper, we characterize the Intent-Context Coupling phenomenon, revealing that LLM safety constraints are significantly relaxed when a malicious intent is coupled with a semantically congruent context pattern. Driven by this insight, we propose ICON, an automated multi-turn jailbreak framework that efficiently constructs an authoritative-style context via prior-guided semantic routing. Specifically, ICON first routes the malicious intent to a congruent context pattern (e.g., Scientific Research) and instantiates it into an attack prompt sequence. This sequence progressively builds the authoritative-style context and ultimately elicits prohibited content. In addition, ICON incorporates a Hierarchical Optimization Strategy that combines local prompt refinement with global context switching, preventing the attack from stagnating in ineffective contexts. Experimental results across eight SOTA LLMs demonstrate the effectiveness of ICON, achieving a state-of-the-art average Attack Success Rate (ASR) of 97.1\%. Code is available at https://github.com/xwlin-roy/ICON.

ICON: Intent-Context Coupling for Efficient Multi-Turn Jailbreak Attack

TL;DR

This work investigates how aligning malicious intent with specific semantic context patterns can relax LLM safety constraints, a phenomenon termed Intent-Context Coupling. It introduces ICON, a closed-loop framework that uses prior-guided contextual routing to map intents to semantically congruent authoritative-style contexts, followed by structured prompt instantiation and a two-tier hierarchical optimization to refine or switch contexts as needed. Empirically, ICON achieves a state-of-the-art average attack success rate of 97.1% across eight LLMs and demonstrates strong transferability and robustness against defenses, while improving efficiency relative to baselines. The findings highlight actionable vulnerabilities and provide a principled approach to strengthen defenses by incorporating context-aware alignment and adaptive prompt strategies.

Abstract

Multi-turn jailbreak attacks have emerged as a critical threat to Large Language Models (LLMs), bypassing safety mechanisms by progressively constructing adversarial contexts from scratch and incrementally refining prompts. However, existing methods suffer from the inefficiency of incremental context construction that requires step-by-step LLM interaction, and often stagnate in suboptimal regions due to surface-level optimization. In this paper, we characterize the Intent-Context Coupling phenomenon, revealing that LLM safety constraints are significantly relaxed when a malicious intent is coupled with a semantically congruent context pattern. Driven by this insight, we propose ICON, an automated multi-turn jailbreak framework that efficiently constructs an authoritative-style context via prior-guided semantic routing. Specifically, ICON first routes the malicious intent to a congruent context pattern (e.g., Scientific Research) and instantiates it into an attack prompt sequence. This sequence progressively builds the authoritative-style context and ultimately elicits prohibited content. In addition, ICON incorporates a Hierarchical Optimization Strategy that combines local prompt refinement with global context switching, preventing the attack from stagnating in ineffective contexts. Experimental results across eight SOTA LLMs demonstrate the effectiveness of ICON, achieving a state-of-the-art average Attack Success Rate (ASR) of 97.1\%. Code is available at https://github.com/xwlin-roy/ICON.
Paper Structure (40 sections, 16 equations, 6 figures, 5 tables)

This paper contains 40 sections, 16 equations, 6 figures, 5 tables.

Figures (6)

  • Figure 1: Heatmap of the Intent-Context Coupling phenomenon. Values represent row-wise min-max normalized StrongREJECT (StR) scores across malicious intents and authoritative-style context patterns.
  • Figure 2: Overview of the ICON framework.Left: Intent-Driven Contextual Routing classifies the malicious query, routes it to an optimal context pattern, and generates an authoritative-style attack sequence. Middle: Multi-turn conversation progressively builds context plausibility before delivering the attack prompt. Right: Hierarchical Optimization refines prompts (tactical level) or switches contexts (strategic level) upon failure.
  • Figure 3: Attack transferability across models. Transfer ASR on target models (columns) when prompts optimized on source models (rows) are applied.
  • Figure 4: Attack Coverage Analysis. Comparison of ASR across ten distinct malicious intent categories on Llama-4.
  • Figure 5: Cumulative Convergence of Attack Success. (a) Convergence by the number of queries sent to the target. (b) Convergence by the total tokens consumed throughout the entire generation process to produce the final attack prompt.
  • ...and 1 more figures