{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2023:K2QZLT2REVSUB3AKRWQNHHV3QG","short_pith_number":"pith:K2QZLT2R","schema_version":"1.0","canonical_sha256":"56a195cf51256540ec0a8da0d39ebb81ab9c96f184cadfe0760f34be92bd8147","source":{"kind":"arxiv","id":"2310.03684","version":4},"attestation_state":"computed","paper":{"title":"SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"SmoothLLM defends large language models against jailbreaking by perturbing input prompts at the character level and aggregating multiple responses.","cross_cats":["cs.AI","stat.ML"],"primary_cat":"cs.LG","authors_text":"Alexander Robey, Eric Wong, George J. Pappas, Hamed Hassani","submitted_at":"2023-10-05T17:01:53Z","abstract_excerpt":"Despite efforts to align large language models (LLMs) with human intentions, widely-used LLMs such as GPT, Llama, and Claude are susceptible to jailbreaking attacks, wherein an adversary fools a targeted LLM into generating objectionable content. To address this vulnerability, we propose SmoothLLM, the first algorithm designed to mitigate jailbreaking attacks. Based on our finding that adversarially-generated prompts are brittle to character-level changes, our defense randomly perturbs multiple copies of a given input prompt, and then aggregates the corresponding predictions to detect adversar"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2310.03684","kind":"arxiv","version":4},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.LG","submitted_at":"2023-10-05T17:01:53Z","cross_cats_sorted":["cs.AI","stat.ML"],"title_canon_sha256":"89fc6da0f5aff8ded674be064675018faded353b0b657723c5963c1f63e1f125","abstract_canon_sha256":"ae3f73f4124184aa1324e4578cd1c2228d3f9a62f7c6ffbe48b6caee68cb70d8"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:22.348925Z","signature_b64":"3xIOSlwmNIBSzaNak1TM66LLfDDxxOsf/hV3K4QLy0OGdO5Is6vTsUszQlDAmY87IYN+QcB0YzvedfxlZq5aCw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"56a195cf51256540ec0a8da0d39ebb81ab9c96f184cadfe0760f34be92bd8147","last_reissued_at":"2026-05-17T23:39:22.348164Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:22.348164Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"SmoothLLM defends large language models against jailbreaking by perturbing input prompts at the character level and aggregating multiple responses.","cross_cats":["cs.AI","stat.ML"],"primary_cat":"cs.LG","authors_text":"Alexander Robey, Eric Wong, George J. Pappas, Hamed Hassani","submitted_at":"2023-10-05T17:01:53Z","abstract_excerpt":"Despite efforts to align large language models (LLMs) with human intentions, widely-used LLMs such as GPT, Llama, and Claude are susceptible to jailbreaking attacks, wherein an adversary fools a targeted LLM into generating objectionable content. To address this vulnerability, we propose SmoothLLM, the first algorithm designed to mitigate jailbreaking attacks. Based on our finding that adversarially-generated prompts are brittle to character-level changes, our defense randomly perturbs multiple copies of a given input prompt, and then aggregates the corresponding predictions to detect adversar"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Across a range of popular LLMs, SmoothLLM sets the state-of-the-art for robustness against the GCG, PAIR, RandomSearch, and AmpleGCG jailbreaks.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"Adversarially-generated prompts are brittle to character-level changes, which is the core empirical finding used to justify random perturbation and aggregation.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"SmoothLLM mitigates jailbreaking attacks on LLMs by randomly perturbing multiple copies of a prompt at the character level and aggregating the outputs to detect adversarial inputs.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"SmoothLLM defends large language models against jailbreaking by perturbing input prompts at the character level and aggregating multiple responses.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"793c580c3c59968310459d493ce95a6d2cf89bb537d5efd5929a73d0aea503aa"},"source":{"id":"2310.03684","kind":"arxiv","version":4},"verdict":{"id":"36bd2177-17e8-4757-b4a4-86798714b5be","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T17:05:31.423908Z","strongest_claim":"Across a range of popular LLMs, SmoothLLM sets the state-of-the-art for robustness against the GCG, PAIR, RandomSearch, and AmpleGCG jailbreaks.","one_line_summary":"SmoothLLM mitigates jailbreaking attacks on LLMs by randomly perturbing multiple copies of a prompt at the character level and aggregating the outputs to detect adversarial inputs.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"Adversarially-generated prompts are brittle to character-level changes, which is the core empirical finding used to justify random perturbation and aggregation.","pith_extraction_headline":"SmoothLLM defends large language models against jailbreaking by perturbing input prompts at the character level and aggregating multiple responses."},"references":{"count":91,"sample":[{"doi":"","year":2009,"title":"RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models","work_id":"6a137b3a-68fe-4f2e-aad1-ca042346408f","ref_index":1,"cited_arxiv_id":"2009.11462","is_internal_anchor":true},{"doi":"","year":2016,"title":"The ai alignment problem: why it is hard, and where to start","work_id":"afbc50a2-46bb-4a39-9aca-47eeb613457a","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2020,"title":"Artificial intelligence, values, and alignment","work_id":"d9c231dd-dfd0-4b73-bda4-8fc8c7ad2a5f","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"The alignment problem: Machine learning and human values","work_id":"13d2d97d-4163-4819-9541-d3968ab50a98","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Regulating chatgpt and other large generative ai models","work_id":"2dcc9e2c-5741-43a9-8f9f-c90551ceb9aa","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":91,"snapshot_sha256":"99b01a8e219fb2b6416486402c9771452dae43eea4271e1604b827848230119b","internal_anchors":23},"formal_canon":{"evidence_count":2,"snapshot_sha256":"498243ea3a4e56c45c2fc2e8d519270374d343ca0189021052f3c8335a926eae"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2310.03684","created_at":"2026-05-17T23:39:22.348288+00:00"},{"alias_kind":"arxiv_version","alias_value":"2310.03684v4","created_at":"2026-05-17T23:39:22.348288+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2310.03684","created_at":"2026-05-17T23:39:22.348288+00:00"},{"alias_kind":"pith_short_12","alias_value":"K2QZLT2REVSU","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"K2QZLT2REVSUB3AK","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"K2QZLT2R","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":36,"internal_anchor_count":36,"sample":[{"citing_arxiv_id":"2402.06922","citing_title":"Whispers in the Machine: Confidentiality in Agentic Systems","ref_index":65,"is_internal_anchor":true},{"citing_arxiv_id":"2409.18169","citing_title":"Harmful Fine-tuning Attacks and Defenses for Large Language Models: A Survey","ref_index":126,"is_internal_anchor":true},{"citing_arxiv_id":"2410.15362","citing_title":"Faster-GCG: Efficient Discrete Optimization Jailbreak Attacks against Aligned Large Language Models","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2502.05206","citing_title":"Safety at Scale: A Comprehensive Survey of Large Model and Agent Safety","ref_index":101,"is_internal_anchor":true},{"citing_arxiv_id":"2605.20641","citing_title":"Trusted Weights, Treacherous Optimizations? Optimization-Triggered Backdoor Attacks on LLMs","ref_index":70,"is_internal_anchor":true},{"citing_arxiv_id":"2605.21362","citing_title":"LASH: Adaptive Semantic Hybridization for Black-Box Jailbreaking of Large Language Models","ref_index":29,"is_internal_anchor":true},{"citing_arxiv_id":"2605.17128","citing_title":"New Wide-Net-Casting Jailbreak Attacks Risk Large Models","ref_index":18,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19485","citing_title":"Attention-Guided Reward for Reinforcement Learning-based Jailbreak against Large Reasoning Models","ref_index":26,"is_internal_anchor":true},{"citing_arxiv_id":"2506.06414","citing_title":"Benchmarking Misuse Mitigation Against Covert Adversaries","ref_index":14,"is_internal_anchor":true},{"citing_arxiv_id":"2508.04204","citing_title":"ReasoningGuard: Safeguarding Large Reasoning Models with Inference-time Safety Aha Moments","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2402.10260","citing_title":"A StrongREJECT for Empty Jailbreaks","ref_index":27,"is_internal_anchor":true},{"citing_arxiv_id":"2602.02280","citing_title":"RACC: Representation-Aware Coverage Criteria for LLM Safety Testing","ref_index":40,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01758","citing_title":"Catching the Infection Before It Spreads: Foresight-Guided Defense in Multi-Agent Systems","ref_index":35,"is_internal_anchor":true},{"citing_arxiv_id":"2404.01318","citing_title":"JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models","ref_index":42,"is_internal_anchor":true},{"citing_arxiv_id":"2407.04295","citing_title":"Jailbreak Attacks and Defenses Against Large Language Models: A Survey","ref_index":73,"is_internal_anchor":true},{"citing_arxiv_id":"2403.02691","citing_title":"InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2406.11717","citing_title":"Refusal in Language Models Is Mediated by a Single Direction","ref_index":177,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11770","citing_title":"Behavioral Integrity Verification for AI Agent Skills","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03095","citing_title":"Revisiting JBShield: Breaking and Rebuilding Representation-Level Jailbreak Defenses","ref_index":37,"is_internal_anchor":true},{"citing_arxiv_id":"2310.08419","citing_title":"Jailbreaking Black Box Large Language Models in Twenty Queries","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10611","citing_title":"Re-Triggering Safeguards within LLMs for Jailbreak Detection","ref_index":11,"is_internal_anchor":true},{"citing_arxiv_id":"2604.24983","citing_title":"Adaptive Prompt Embedding Optimization for LLM Jailbreaking","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2605.06605","citing_title":"How Many Iterations to Jailbreak? Dynamic Budget Allocation for Multi-Turn LLM Evaluation","ref_index":41,"is_internal_anchor":true},{"citing_arxiv_id":"2605.05058","citing_title":"SoK: Robustness in Large Language Models against Jailbreak Attacks","ref_index":68,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01899","citing_title":"Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment","ref_index":50,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":2,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG","json":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG.json","graph_json":"https://pith.science/api/pith-number/K2QZLT2REVSUB3AKRWQNHHV3QG/graph.json","events_json":"https://pith.science/api/pith-number/K2QZLT2REVSUB3AKRWQNHHV3QG/events.json","paper":"https://pith.science/paper/K2QZLT2R"},"agent_actions":{"view_html":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG","download_json":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG.json","view_paper":"https://pith.science/paper/K2QZLT2R","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2310.03684&json=true","fetch_graph":"https://pith.science/api/pith-number/K2QZLT2REVSUB3AKRWQNHHV3QG/graph.json","fetch_events":"https://pith.science/api/pith-number/K2QZLT2REVSUB3AKRWQNHHV3QG/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG/action/timestamp_anchor","attest_storage":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG/action/storage_attestation","attest_author":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG/action/author_attestation","sign_citation":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG/action/citation_signature","submit_replication":"https://pith.science/pith/K2QZLT2REVSUB3AKRWQNHHV3QG/action/replication_record"}},"created_at":"2026-05-17T23:39:22.348288+00:00","updated_at":"2026-05-17T23:39:22.348288+00:00"}