{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2024:KLF577JGEJPVT7UFVL6ELCNMSB","short_pith_number":"pith:KLF577JG","schema_version":"1.0","canonical_sha256":"52cbdffd26225f59fe85aafc4589ac90656b3a7ac643e2b5d14a169c8d20fa71","source":{"kind":"arxiv","id":"2404.02151","version":4},"attestation_state":"computed","paper":{"title":"Jailbreaking Leading Safety-Aligned LLMs with Simple Adaptive Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI","cs.LG","stat.ML"],"primary_cat":"cs.CR","authors_text":"Francesco Croce, Maksym Andriushchenko, Nicolas Flammarion","submitted_at":"2024-04-02T17:58:27Z","abstract_excerpt":"We show that even the most recent safety-aligned LLMs are not robust to simple adaptive jailbreaking attacks. First, we demonstrate how to successfully leverage access to logprobs for jailbreaking: we initially design an adversarial prompt template (sometimes adapted to the target LLM), and then we apply random search on a suffix to maximize a target logprob (e.g., of the token \"Sure\"), potentially with multiple restarts. In this way, we achieve 100% attack success rate -- according to GPT-4 as a judge -- on Vicuna-13B, Mistral-7B, Phi-3-Mini, Nemotron-4-340B, Llama-2-Chat-7B/13B/70B, Llama-3-"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2404.02151","kind":"arxiv","version":4},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2024-04-02T17:58:27Z","cross_cats_sorted":["cs.AI","cs.LG","stat.ML"],"title_canon_sha256":"b2110790cec662d758eacac98b117aa1d1e3adb5fcee666601d53183e271eb17","abstract_canon_sha256":"707d49577db88f0eb53e78087ba8a601bb6da184c14c96ed39fef320909149ce"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-07-05T10:50:41.945170Z","signature_b64":"WQo/n0ZbmF4qM62e5eADh2sw8jlo852m7cjaViXyxrTKyPW4YHXd6Y1WdOTsf868arZXjU+ZV8oLOS4z/KDOBw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"52cbdffd26225f59fe85aafc4589ac90656b3a7ac643e2b5d14a169c8d20fa71","last_reissued_at":"2026-07-05T10:50:41.944737Z","signature_status":"signed_v1","first_computed_at":"2026-07-05T10:50:41.944737Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Jailbreaking Leading Safety-Aligned LLMs with Simple Adaptive Attacks","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI","cs.LG","stat.ML"],"primary_cat":"cs.CR","authors_text":"Francesco Croce, Maksym Andriushchenko, Nicolas Flammarion","submitted_at":"2024-04-02T17:58:27Z","abstract_excerpt":"We show that even the most recent safety-aligned LLMs are not robust to simple adaptive jailbreaking attacks. First, we demonstrate how to successfully leverage access to logprobs for jailbreaking: we initially design an adversarial prompt template (sometimes adapted to the target LLM), and then we apply random search on a suffix to maximize a target logprob (e.g., of the token \"Sure\"), potentially with multiple restarts. In this way, we achieve 100% attack success rate -- according to GPT-4 as a judge -- on Vicuna-13B, Mistral-7B, Phi-3-Mini, Nemotron-4-340B, Llama-2-Chat-7B/13B/70B, Llama-3-"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2404.02151","kind":"arxiv","version":4},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2404.02151/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2404.02151","created_at":"2026-07-05T10:50:41.944792+00:00"},{"alias_kind":"arxiv_version","alias_value":"2404.02151v4","created_at":"2026-07-05T10:50:41.944792+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2404.02151","created_at":"2026-07-05T10:50:41.944792+00:00"},{"alias_kind":"pith_short_12","alias_value":"KLF577JGEJPV","created_at":"2026-07-05T10:50:41.944792+00:00"},{"alias_kind":"pith_short_16","alias_value":"KLF577JGEJPVT7UF","created_at":"2026-07-05T10:50:41.944792+00:00"},{"alias_kind":"pith_short_8","alias_value":"KLF577JG","created_at":"2026-07-05T10:50:41.944792+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":29,"internal_anchor_count":0,"sample":[{"citing_arxiv_id":"2606.25442","citing_title":"PolicyAlign: Direct Policy-Based Safety Alignment for Large Language Models","ref_index":10,"is_internal_anchor":false},{"citing_arxiv_id":"2606.14517","citing_title":"From Shield to Target: Denial-of-Service Attacks on LLM-Based Agent Guardrails","ref_index":26,"is_internal_anchor":false},{"citing_arxiv_id":"2606.10525","citing_title":"Assessing Automated Prompt Injection Attacks in Agentic Environments","ref_index":1,"is_internal_anchor":false},{"citing_arxiv_id":"2606.07335","citing_title":"Defending Jailbreak Attacks on Large Language Models via Manifold Trajectory Kinetics","ref_index":5,"is_internal_anchor":false},{"citing_arxiv_id":"2606.06244","citing_title":"Steering LLM Viewpoints through Fabricated Evidence Injection","ref_index":1,"is_internal_anchor":false},{"citing_arxiv_id":"2606.03647","citing_title":"Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs","ref_index":10,"is_internal_anchor":false},{"citing_arxiv_id":"2606.30783","citing_title":"Security--Fidelity Tradeoffs: The Hidden Cost of Prompt Injection Defense","ref_index":42,"is_internal_anchor":false},{"citing_arxiv_id":"2606.30449","citing_title":"Internal-State Probes Read the Situation, Not the Action: Three Negative Results for Pre-Action Misalignment Monitoring","ref_index":17,"is_internal_anchor":false},{"citing_arxiv_id":"2605.28893","citing_title":"Towards Demystifying and Repairing LLM-in-the-Loop Vulnerabilities","ref_index":5,"is_internal_anchor":false},{"citing_arxiv_id":"2605.30169","citing_title":"Dissociative Identity: Language Model Agents Lack Grounding for Reputation Mechanisms","ref_index":6,"is_internal_anchor":false},{"citing_arxiv_id":"2405.13068","citing_title":"Uncovering Logit Suppression Vulnerabilities in LLM Safety Alignment","ref_index":3,"is_internal_anchor":false},{"citing_arxiv_id":"2503.02574","citing_title":"LLM-Safety Evaluations Lack Robustness","ref_index":6,"is_internal_anchor":false},{"citing_arxiv_id":"2504.00446","citing_title":"Exposing the Ghost in the Transformer: Abnormal Detection for Large Language Models via Hidden State Forensics","ref_index":24,"is_internal_anchor":false},{"citing_arxiv_id":"2605.21674","citing_title":"Adversarial Reframing: A Framework for Targeted Generation in Language Models","ref_index":2,"is_internal_anchor":false},{"citing_arxiv_id":"2511.02356","citing_title":"ASTRA: An Automated Framework for Strategy Discovery, Retrieval, and Evolution for Jailbreaking LLMs","ref_index":1,"is_internal_anchor":false},{"citing_arxiv_id":"2404.01318","citing_title":"JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models","ref_index":6,"is_internal_anchor":false},{"citing_arxiv_id":"2407.04295","citing_title":"Jailbreak Attacks and Defenses Against Large Language Models: A Survey","ref_index":2,"is_internal_anchor":false},{"citing_arxiv_id":"2603.21697","citing_title":"Structured Visual Narratives Undermine Safety Alignment in Multimodal Large Language Models","ref_index":33,"is_internal_anchor":false},{"citing_arxiv_id":"2310.03684","citing_title":"SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks","ref_index":21,"is_internal_anchor":false},{"citing_arxiv_id":"2406.11717","citing_title":"Refusal in Language Models Is Mediated by a Single Direction","ref_index":112,"is_internal_anchor":false},{"citing_arxiv_id":"2605.03095","citing_title":"Revisiting JBShield: Breaking and Rebuilding Representation-Level Jailbreak Defenses","ref_index":4,"is_internal_anchor":false},{"citing_arxiv_id":"2604.28157","citing_title":"FlashRT: Towards Computationally and Memory Efficient Red-Teaming for Prompt Injection and Knowledge Corruption","ref_index":38,"is_internal_anchor":false},{"citing_arxiv_id":"2604.27401","citing_title":"Perturbation Probing: A Two-Pass-per-Prompt Diagnostic for FFN Behavioral Circuits in Aligned LLMs","ref_index":1,"is_internal_anchor":false},{"citing_arxiv_id":"2605.10611","citing_title":"Re-Triggering Safeguards within LLMs for Jailbreak Detection","ref_index":2,"is_internal_anchor":false},{"citing_arxiv_id":"2604.22089","citing_title":"Ethics Testing: Proactive Identification of Generative AI System Harms","ref_index":6,"is_internal_anchor":false}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB","json":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB.json","graph_json":"https://pith.science/api/pith-number/KLF577JGEJPVT7UFVL6ELCNMSB/graph.json","events_json":"https://pith.science/api/pith-number/KLF577JGEJPVT7UFVL6ELCNMSB/events.json","paper":"https://pith.science/paper/KLF577JG"},"agent_actions":{"view_html":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB","download_json":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB.json","view_paper":"https://pith.science/paper/KLF577JG","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2404.02151&json=true","fetch_graph":"https://pith.science/api/pith-number/KLF577JGEJPVT7UFVL6ELCNMSB/graph.json","fetch_events":"https://pith.science/api/pith-number/KLF577JGEJPVT7UFVL6ELCNMSB/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB/action/timestamp_anchor","attest_storage":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB/action/storage_attestation","attest_author":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB/action/author_attestation","sign_citation":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB/action/citation_signature","submit_replication":"https://pith.science/pith/KLF577JGEJPVT7UFVL6ELCNMSB/action/replication_record"}},"created_at":"2026-07-05T10:50:41.944792+00:00","updated_at":"2026-07-05T10:50:41.944792+00:00"}