{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2024:YOY6QLV6QQC7SP2TV3OYWEU3HF","short_pith_number":"pith:YOY6QLV6","schema_version":"1.0","canonical_sha256":"c3b1e82ebe8405f93f53aedd8b129b39727bf5386f751e950e9ed0805c9ddf38","source":{"kind":"arxiv","id":"2407.04295","version":2},"attestation_state":"computed","paper":{"title":"Jailbreak Attacks and Defenses Against Large Language Models: A Survey","license":"http://creativecommons.org/licenses/by/4.0/","headline":"A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.","cross_cats":["cs.AI","cs.CL","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jiaxing Song, Ke Xu, Qi Li, Sibo Yi, Tianshuo Cong, Xinlei He, Yule Liu, Zhen Sun","submitted_at":"2024-07-05T06:57:30Z","abstract_excerpt":"Large Language Models (LLMs) have performed exceptionally in various text-generative tasks, including question answering, translation, code completion, etc. However, the over-assistance of LLMs has raised the challenge of \"jailbreaking\", which induces the model to generate malicious responses against the usage policy and society by designing adversarial prompts. With the emergence of jailbreak attack methods exploiting different vulnerabilities in LLMs, the corresponding safety alignment measures are also evolving. In this paper, we propose a comprehensive and detailed taxonomy of jailbreak at"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2407.04295","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2024-07-05T06:57:30Z","cross_cats_sorted":["cs.AI","cs.CL","cs.LG"],"title_canon_sha256":"f74598f44eea1fd513b7b56c50447230bcf80aef8f4a84aca6c92583188144f7","abstract_canon_sha256":"badbb006037acd708228bc413519371479731de0270eb8b97df398aeee46af08"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:53.831657Z","signature_b64":"UvmjJpecgSHWeO7n7Ks6zR6i8aGGYMrf8q7wOz1gqw8WmfGnHHbZWHxh/8BDKHMhJf4Sw+3HUx7iRuxvQIW7DQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"c3b1e82ebe8405f93f53aedd8b129b39727bf5386f751e950e9ed0805c9ddf38","last_reissued_at":"2026-05-17T23:38:53.831024Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:53.831024Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Jailbreak Attacks and Defenses Against Large Language Models: A Survey","license":"http://creativecommons.org/licenses/by/4.0/","headline":"A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.","cross_cats":["cs.AI","cs.CL","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jiaxing Song, Ke Xu, Qi Li, Sibo Yi, Tianshuo Cong, Xinlei He, Yule Liu, Zhen Sun","submitted_at":"2024-07-05T06:57:30Z","abstract_excerpt":"Large Language Models (LLMs) have performed exceptionally in various text-generative tasks, including question answering, translation, code completion, etc. However, the over-assistance of LLMs has raised the challenge of \"jailbreaking\", which induces the model to generate malicious responses against the usage policy and society by designing adversarial prompts. With the emergence of jailbreak attack methods exploiting different vulnerabilities in LLMs, the corresponding safety alignment measures are also evolving. In this paper, we propose a comprehensive and detailed taxonomy of jailbreak at"},"claims":{"count":3,"items":[{"kind":"strongest_claim","text":"we propose a comprehensive and detailed taxonomy of jailbreak attack and defense methods... and present a coherent diagram illustrating their relationships. We also conduct an investigation into the current evaluation methods and compare them from different perspectives.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the proposed taxonomy and sub-classifications accurately and comprehensively capture the current landscape of attacks and defenses without significant omissions or overlaps that would require revision.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"}],"snapshot_sha256":"d34a06f8c1f6f12add72bce2de4f60f731c7e90a3812ec18eb39373de0d0c09b"},"source":{"id":"2407.04295","kind":"arxiv","version":2},"verdict":{"id":"787dc28f-28ef-4bb1-b5c8-5291cea3dd14","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T02:17:07.003351Z","strongest_claim":"we propose a comprehensive and detailed taxonomy of jailbreak attack and defense methods... and present a coherent diagram illustrating their relationships. We also conduct an investigation into the current evaluation methods and compare them from different perspectives.","one_line_summary":"A survey that creates taxonomies for jailbreak attacks and defenses on LLMs, subdivides them into sub-classes, and compares evaluation approaches.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the proposed taxonomy and sub-classifications accurately and comprehensively capture the current landscape of attacks and defenses without significant omissions or overlaps that would require revision.","pith_extraction_headline":""},"references":{"count":126,"sample":[{"doi":"","year":2023,"title":"Detecting Language Model Attacks with Perplexity","work_id":"8fac4469-dd8b-4784-9ff6-13d2e74e57fb","ref_index":1,"cited_arxiv_id":"2308.14132","is_internal_anchor":true},{"doi":"","year":2024,"title":"Jailbreaking leading safety-aligned LLMs with simple adaptive attacks","work_id":"81e706c8-459e-40a1-a79d-bda6a104cd22","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Gemini: A Family of Highly Capable Multimodal Models","work_id":"83f7c85b-3f11-450f-ac0c-64d9745220b2","ref_index":3,"cited_arxiv_id":"2312.11805","is_internal_anchor":true},{"doi":"","year":null,"title":"Introducing claude","work_id":"9512a48a-3097-4413-8593-c26c1be54540","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Many-shot jailbreaking","work_id":"d6a9bf6b-c588-4df6-8b27-21aec1333bbc","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":126,"snapshot_sha256":"12020fa2ad3a56a39f281e42527ab5b98de164fa4fdc6f64c3e3f2e210e0e4c4","internal_anchors":21},"formal_canon":{"evidence_count":1,"snapshot_sha256":"77c1c15d3860e4871f809cdc45806a6487bba0396d7b97b30bbe55e2f8b10672"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2407.04295","created_at":"2026-05-17T23:38:53.831133+00:00"},{"alias_kind":"arxiv_version","alias_value":"2407.04295v2","created_at":"2026-05-17T23:38:53.831133+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2407.04295","created_at":"2026-05-17T23:38:53.831133+00:00"},{"alias_kind":"pith_short_12","alias_value":"YOY6QLV6QQC7","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"YOY6QLV6QQC7SP2T","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"YOY6QLV6","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":37,"internal_anchor_count":37,"sample":[{"citing_arxiv_id":"2605.23565","citing_title":"Understanding Goal Generalisation in Sequential Reinforcement Learning","ref_index":69,"is_internal_anchor":true},{"citing_arxiv_id":"2605.23448","citing_title":"AI Security Research Should Better Incentivize Defense Research","ref_index":42,"is_internal_anchor":true},{"citing_arxiv_id":"2605.23723","citing_title":"MemAudit: Post-hoc Auditing of Poisoned Agent Memory via Causal Attribution and Structural Anomaly Detection","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2409.18169","citing_title":"Harmful Fine-tuning Attacks and Defenses for Large Language Models: A Survey","ref_index":171,"is_internal_anchor":true},{"citing_arxiv_id":"2602.14211","citing_title":"SkillJect: Effectively Automating Skill-Based Prompt Injection for Skill-Enabled Agents","ref_index":24,"is_internal_anchor":true},{"citing_arxiv_id":"2605.16551","citing_title":"PQR: A Framework to Generate Diverse and Realistic User Queries that Elicit QA Agent Failures","ref_index":6,"is_internal_anchor":true},{"citing_arxiv_id":"2605.18239","citing_title":"Multilingual jailbreaking of LLMs using low-resource languages","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19966","citing_title":"Detecting Fluent Optimization-Based Adversarial Prompts via Sequential Entropy Changes","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19485","citing_title":"Attention-Guided Reward for Reinforcement Learning-based Jailbreak against Large Reasoning Models","ref_index":34,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19940","citing_title":"Robotics-Inspired Guardrails for Foundation Models in Socially Sensitive Domains","ref_index":53,"is_internal_anchor":true},{"citing_arxiv_id":"2605.15239","citing_title":"Reducing the Safety Tax in LLM Safety Alignment with On-Policy Self-Distillation","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2506.17299","citing_title":"Toward Principled LLM Safety Testing: Solving the Jailbreak Oracle Problem","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2508.11222","citing_title":"ORFuzz: Fuzzing the \"Other Side\" of LLM Safety -- Testing Over-Refusal","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2510.09689","citing_title":"When Search Goes Wrong: Red-Teaming Web-Augmented Large Language Models","ref_index":44,"is_internal_anchor":true},{"citing_arxiv_id":"2511.02356","citing_title":"ASTRA: An Automated Framework for Strategy Discovery, Retrieval, and Evolution for Jailbreaking LLMs","ref_index":53,"is_internal_anchor":true},{"citing_arxiv_id":"2511.22681","citing_title":"CacheTrap: Unveiling a Stealthier Gray-Box Trojan against LLMs","ref_index":32,"is_internal_anchor":true},{"citing_arxiv_id":"2603.04474","citing_title":"From Spark to Fire: Modeling and Mitigating Error Cascades in LLM-Based Multi-Agent Collaboration","ref_index":54,"is_internal_anchor":true},{"citing_arxiv_id":"2603.21697","citing_title":"Structured Visual Narratives Undermine Safety Alignment in Multimodal Large Language Models","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11002","citing_title":"MT-JailBench: A Modular Benchmark for Understanding Multi-Turn Jailbreak Attacks","ref_index":41,"is_internal_anchor":true},{"citing_arxiv_id":"2604.27861","citing_title":"TwinGate: Stateful Defense against Decompositional Jailbreaks in Untraceable Traffic via Asymmetric Contrastive Learning","ref_index":35,"is_internal_anchor":true},{"citing_arxiv_id":"2605.08268","citing_title":"Insider Attacks in Multi-Agent LLM Consensus Systems","ref_index":28,"is_internal_anchor":true},{"citing_arxiv_id":"2605.08876","citing_title":"OTora: A Unified Red Teaming Framework for Reasoning-Level Denial-of-Service in LLM Agents","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2604.25189","citing_title":"AgentDID: Trustless Identity Authentication for AI Agents","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2604.23067","citing_title":"Training a General Purpose Automated Red Teaming Model","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2605.05058","citing_title":"SoK: Robustness in Large Language Models against Jailbreak Attacks","ref_index":90,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":1,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF","json":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF.json","graph_json":"https://pith.science/api/pith-number/YOY6QLV6QQC7SP2TV3OYWEU3HF/graph.json","events_json":"https://pith.science/api/pith-number/YOY6QLV6QQC7SP2TV3OYWEU3HF/events.json","paper":"https://pith.science/paper/YOY6QLV6"},"agent_actions":{"view_html":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF","download_json":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF.json","view_paper":"https://pith.science/paper/YOY6QLV6","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2407.04295&json=true","fetch_graph":"https://pith.science/api/pith-number/YOY6QLV6QQC7SP2TV3OYWEU3HF/graph.json","fetch_events":"https://pith.science/api/pith-number/YOY6QLV6QQC7SP2TV3OYWEU3HF/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF/action/timestamp_anchor","attest_storage":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF/action/storage_attestation","attest_author":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF/action/author_attestation","sign_citation":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF/action/citation_signature","submit_replication":"https://pith.science/pith/YOY6QLV6QQC7SP2TV3OYWEU3HF/action/replication_record"}},"created_at":"2026-05-17T23:38:53.831133+00:00","updated_at":"2026-05-17T23:38:53.831133+00:00"}