The reviewed record of science sign in
Pith

arxiv: 2507.02956 · v1 · pith:RDX32DKS · submitted 2025-06-29 · cs.CR · cs.AI

A Representation Engineering Perspective on the Effectiveness of Multi-Turn Jailbreaks

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel pith:RDX32DKSrecord.jsonopen to challenge →

classification cs.CR cs.AI
keywords modelmulti-turnattackscrescendojailbreakbenigndefenseseffectiveness
0
0 comments X
read the original abstract

Recent research has demonstrated that state-of-the-art LLMs and defenses remain susceptible to multi-turn jailbreak attacks. These attacks require only closed-box model access and are often easy to perform manually, posing a significant threat to the safe and secure deployment of LLM-based systems. We study the effectiveness of the Crescendo multi-turn jailbreak at the level of intermediate model representations and find that safety-aligned LMs often represent Crescendo responses as more benign than harmful, especially as the number of conversation turns increases. Our analysis indicates that at each turn, Crescendo prompts tend to keep model outputs in a "benign" region of representation space, effectively tricking the model into fulfilling harmful requests. Further, our results help explain why single-turn jailbreak defenses like circuit breakers are generally ineffective against multi-turn attacks, motivating the development of mitigations that address this generalization gap.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 4 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. On the Inseparability of Instructions and Data in Shared-Embedding Sequence Models

    cs.CR 2026-06 unverdicted novelty 7.0

    Shared-embedding sequence models cannot achieve Semantic-Faithful Control over control-authoritative actions due to provenance-recovery impossibility, control-path exposure, and finite-coverage invariance gap.

  2. Mitigating Many-shot Jailbreak Attacks with One Single Demonstration

    cs.CR 2026-05 conditional novelty 7.0

    A single safety demonstration appended at inference time mitigates many-shot jailbreak attacks by counteracting implicit malicious fine-tuning on harmful examples.

  3. The Salami Slicing Threat: Exploiting Cumulative Risks in LLM Systems

    cs.CR 2026-04 unverdicted novelty 6.0

    Salami Attack chains low-risk inputs to cumulatively trigger high-risk LLM behaviors, achieving over 90% success on GPT-4o and Gemini while resisting some defenses.

  4. From AI-Generated Content to Agentic Action: Security and Safety Threats in Generative AI

    cs.CR 2026-05 unverdicted novelty 3.0

    The paper analyzes evolving security and safety threats in generative AI from content generation to agentic actions, noting that attack surfaces expand faster than defenses and that many safeguards require institution...