Pith. sign in

REVIEW 16 cited by

AdvPrompter: Fast Adaptive Adversarial Prompting for LLMs

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2404.16873 v2 pith:HKGF2EBJ submitted 2024-04-21 cs.CR cs.AIcs.CLcs.LG

AdvPrompter: Fast Adaptive Adversarial Prompting for LLMs

classification cs.CR cs.AIcs.CLcs.LG
keywords adversarialadvprompterllmsattacksgenerationharmfuljailbreakingprompts
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

Large Language Models (LLMs) are vulnerable to jailbreaking attacks that lead to generation of inappropriate or harmful content. Manual red-teaming requires a time-consuming search for adversarial prompts, whereas automatic adversarial prompt generation often leads to semantically meaningless attacks that do not scale well. In this paper, we present a novel method that uses another LLM, called AdvPrompter, to generate human-readable adversarial prompts in seconds. AdvPrompter, which is trained using an alternating optimization algorithm, generates suffixes that veil the input instruction without changing its meaning, such that the TargetLLM is lured to give a harmful response. Experimental results on popular open source TargetLLMs show highly competitive results on the AdvBench and HarmBench datasets, that also transfer to closed-source black-box LLMs. We also show that training on adversarial suffixes generated by AdvPrompter is a promising strategy for improving the robustness of LLMs to jailbreaking attacks.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 16 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Out of Sight: Compression-Aware Content Protection against Agentic Crawlers

    cs.CR 2026-07 conditional novelty 7.0

    Invisible Unicode perturbations, optimized from surrogate compressors then adapted by prior-guided evolution under a low query budget, cause large information loss in agent context compression without changing human-v...

  2. How Reliable Is Your Jailbreak Judge? Calibration and Adversarial Robustness of Automated ASR Scoring

    cs.CL 2026-06 unverdicted novelty 7.0

    Automated ASR judges (safety classifiers and LLM prompts) show mismatched calibration to humans and low robustness to framing attacks on 596 HarmBench examples, making many reported rates unreliable.

  3. How Reliable Is Your Jailbreak Judge? Calibration and Adversarial Robustness of Automated ASR Scoring

    cs.CL 2026-06 accept novelty 7.0

    Automated judges for LLM jailbreak ASR show opposite calibration failures and low robustness, with LLM judges flipped by benign framing and classifiers vulnerable to white-box attacks.

  4. LASH: Adaptive Semantic Hybridization for Black-Box Jailbreaking of Large Language Models

    cs.CL 2026-05 unverdicted novelty 7.0

    LASH adaptively composes multiple jailbreak seed prompts via genetic search over subsets and mixture weights to reach 84.5% keyword ASR and 74.5% two-stage ASR on JailbreakBench while using only 30 queries per prompt.

  5. Evaluating Answer Leakage Robustness of LLM Tutors against Adversarial Student Attacks

    cs.CR 2026-04 unverdicted novelty 7.0

    LLM tutors leak answers under adversarial student attacks, but a fine-tuned jailbreak agent and simple defenses can benchmark and improve robustness.

  6. Efficient Safety Alignment of Language Models via Latent Personality Traits

    cs.LG 2026-07 conditional novelty 6.0

    Latent adversarial training on 66 harm-agnostic Big-Five personality statements yields near-zero HarmBench ASR across direct requests and five jailbreaks while preserving utility.

  7. Adversarial Diffusion Across Modalities: A Fusion Survey of Attacks, Defenses, and Evaluation for Text, Vision, and Vision-Language Models

    cs.CR 2026-06 unverdicted novelty 6.0

    A narrative survey that catalogs fifty papers on diffusion-based adversarial techniques across text, vision, and vision-language models, proposes a six-class taxonomy of diffusion roles plus a unified five-dimension e...

  8. Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs

    cs.CR 2026-06 unverdicted novelty 6.0

    IHO is a new black-box jailbreak attack for LLMs that is adaptive, efficient, transferable across models and behaviors, and effective even against layered defenses without modification.

  9. TEMPLATEFUZZ: Fine-Grained Chat Template Fuzzing for Jailbreaking and Red Teaming LLMs

    cs.CR 2026-04 unverdicted novelty 6.0

    TEMPLATEFUZZ mutates chat templates with element-level rules and heuristic search to reach 98.2% average jailbreak success rate on twelve open-source LLMs while degrading accuracy by only 1.1%.

  10. SABER: A Stealthy Agentic Black-Box Attack Framework for Vision-Language-Action Models

    cs.RO 2026-03 unverdicted novelty 6.0

    SABER uses a trained ReAct agent to produce bounded adversarial edits to robot instructions, cutting task success by 20.6% and increasing execution length and violations on the LIBERO benchmark across six VLA models.

  11. Red-Bandit: Test-Time Adaptation for LLM Red-Teaming via Bandit-Guided LoRA Experts

    cs.CL 2025-10 unverdicted novelty 6.0

    Red-Bandit adapts online to LLM failure modes by dynamically selecting among RL-trained LoRA attack-style experts via a bandit policy, reporting SOTA ASR@10 on AdvBench with lower-perplexity prompts.

  12. Uncovering Logit Suppression Vulnerabilities in LLM Safety Alignment

    cs.CR 2024-05 unverdicted novelty 6.0

    SSAG bypasses logit suppression in five LLMs to produce harmful responses at 95% success rate and 86% lower latency; VulMine reaches 77% attack success against defenses.

  13. AnchorKV: Safety-Aware KV Cache Compression via Soft Penalty with a Refusal Anchor

    cs.LG 2026-06 unverdicted novelty 5.0

    AnchorKV augments KV cache compression with a soft penalty derived from a refusal anchor in key space to improve safety alignment against jailbreaks while preserving most utility.

  14. New Wide-Net-Casting Jailbreak Attacks Risk Large Models

    cs.CR 2026-05 unverdicted novelty 5.0

    The paper demonstrates that a tailored jailbreak method for querying groups of large models can achieve up to 100% success rate in some experiments on unprotected models, revealing overlooked multi-model safety risks.

  15. DeepSeek Robustness Against Semantic-Character Dual-Space Mutated Prompt Injection

    cs.CR 2026-04 unverdicted novelty 4.0

    Dual-space semantic-character mutations on prompts achieve higher misuse success rates against DeepSeek than single-space attacks alone.

  16. Jailbreak Attacks and Defenses Against Large Language Models: A Survey

    cs.CR 2024-07 accept novelty 4.0

    A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.