Table of Contents
Fetching ...

Statistical Estimation of Adversarial Risk in Large Language Models under Best-of-N Sampling

Mingqian Feng, Xiaodong Liu, Weiwei Yang, Chenliang Xu, Christopher White, Jianfeng Gao

TL;DR

This work tackles the challenge of realistically evaluating adversarial risk in large language models under Best-of-N sampling. It models per-query jailbreak success with a Beta prior to capture heterogeneity across harmful queries and derives a closed-form scaling law linking small-budget observations to large-budget risk, $\mathrm{ASR}@N \approx 1 - \frac{\Gamma(\alpha+\beta)}{\Gamma(\beta)} N^{-\alpha}$. By fitting $\alpha$ and $\beta$ via Beta--Binomial MLE from limited data, SABER enables accurate extrapolation to large $N$, including anchored and plug-in variants, with uncertainty quantification. Experiments on HarmBench show substantial reductions in estimation error (e.g., MAE drop from 12.04 to 1.66 for $\mathrm{ASR}@1000$) and reveal heterogeneous risk scaling profiles that challenge conclusions drawn from $\mathrm{ASR}@1$ alone. Practically, SABER provides a scalable, low-cost methodology for realistic safety assessment and risk benchmarking of LLMs under parallel adversarial pressure.

Abstract

Large Language Models (LLMs) are typically evaluated for safety under single-shot or low-budget adversarial prompting, which underestimates real-world risk. In practice, attackers can exploit large-scale parallel sampling to repeatedly probe a model until a harmful response is produced. While recent work shows that attack success increases with repeated sampling, principled methods for predicting large-scale adversarial risk remain limited. We propose a scaling-aware Best-of-N estimation of risk, SABER, for modeling jailbreak vulnerability under Best-of-N sampling. We model sample-level success probabilities using a Beta distribution, the conjugate prior of the Bernoulli distribution, and derive an analytic scaling law that enables reliable extrapolation of large-N attack success rates from small-budget measurements. Using only n=100 samples, our anchored estimator predicts ASR@1000 with a mean absolute error of 1.66, compared to 12.04 for the baseline, which is an 86.2% reduction in estimation error. Our results reveal heterogeneous risk scaling profiles and show that models appearing robust under standard evaluation can experience rapid nonlinear risk amplification under parallel adversarial pressure. This work provides a low-cost, scalable methodology for realistic LLM safety assessment. We will release our code and evaluation scripts upon publication to future research.

Statistical Estimation of Adversarial Risk in Large Language Models under Best-of-N Sampling

TL;DR

This work tackles the challenge of realistically evaluating adversarial risk in large language models under Best-of-N sampling. It models per-query jailbreak success with a Beta prior to capture heterogeneity across harmful queries and derives a closed-form scaling law linking small-budget observations to large-budget risk, . By fitting and via Beta--Binomial MLE from limited data, SABER enables accurate extrapolation to large , including anchored and plug-in variants, with uncertainty quantification. Experiments on HarmBench show substantial reductions in estimation error (e.g., MAE drop from 12.04 to 1.66 for ) and reveal heterogeneous risk scaling profiles that challenge conclusions drawn from alone. Practically, SABER provides a scalable, low-cost methodology for realistic safety assessment and risk benchmarking of LLMs under parallel adversarial pressure.

Abstract

Large Language Models (LLMs) are typically evaluated for safety under single-shot or low-budget adversarial prompting, which underestimates real-world risk. In practice, attackers can exploit large-scale parallel sampling to repeatedly probe a model until a harmful response is produced. While recent work shows that attack success increases with repeated sampling, principled methods for predicting large-scale adversarial risk remain limited. We propose a scaling-aware Best-of-N estimation of risk, SABER, for modeling jailbreak vulnerability under Best-of-N sampling. We model sample-level success probabilities using a Beta distribution, the conjugate prior of the Bernoulli distribution, and derive an analytic scaling law that enables reliable extrapolation of large-N attack success rates from small-budget measurements. Using only n=100 samples, our anchored estimator predicts ASR@1000 with a mean absolute error of 1.66, compared to 12.04 for the baseline, which is an 86.2% reduction in estimation error. Our results reveal heterogeneous risk scaling profiles and show that models appearing robust under standard evaluation can experience rapid nonlinear risk amplification under parallel adversarial pressure. This work provides a low-cost, scalable methodology for realistic LLM safety assessment. We will release our code and evaluation scripts upon publication to future research.
Paper Structure (40 sections, 3 theorems, 73 equations, 12 figures, 6 tables)

This paper contains 40 sections, 3 theorems, 73 equations, 12 figures, 6 tables.

Key Result

Theorem 3.1

Let $\theta \sim \mathrm{Beta}(\alpha,\beta)$ with $\alpha>0$ and $\beta>0$. Conditional on $\theta$, let $X_j \mid \theta \sim \mathrm{Bernoulli}(\theta)$, $j=1,2,...$, and define $X^{(N)} \coloneqq \bigvee_{j=1}^N X_j$. Then, we have,

Figures (12)

  • Figure 1: Overview of our SABER risk estimation framework. Given an attacker--victim--judge triplet $(\mathcal{A}, \mathcal{V}, \mathcal{J})$, we collect $n$ attack attempts per query (Stage 1), fit the distribution (Stage 2), and extrapolate to $\mathrm{ASR}@N$ for large $N$ using our SABER estimator (Stage 3).
  • Figure 2: Attack Success Rate at $N$ attempts (ASR@N) against GPT-4.1-mini on HarmBench.
  • Figure 3: Density of $\hat{\alpha},\hat{\beta}$ on different $n$. GT denotes ground-truth.
  • Figure 4: MAE across 3 settings. (a) Larger measurement budget $n$ reduces MAE. (b) Extrapolating to larger $N$ increases MAE. (c) Compare three variants in $n=100, N=500$ and $n=200, N=1000$, respectively.
  • Figure 5: Small-$N$ MAE averaged across all triplets on HarmBench.
  • ...and 7 more figures

Theorems & Definitions (6)

  • Theorem 3.1: OR-aggregated Beta--Bernoulli hierarchy
  • Theorem 3.3: Scaling law for Best-of-$N$ adversarial risk
  • Lemma 2.1: Gamma ratio, first-order expansion
  • proof
  • proof : Proof of \ref{['thm:beta-bernoulli-asymp']}
  • proof : Proof of \ref{['thm:asr-asymp']}