Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Meng, Wenlong, Zhang, Fan, Yao, Wendao, Guo, Zhenyuan, Li, Yuwei, Wei, Chengkun, Chen, Wenzhi
Format: Preprint
Veröffentlicht: 2025
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2503.08195
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866916649578266624
author Meng, Wenlong
Zhang, Fan
Yao, Wendao
Guo, Zhenyuan
Li, Yuwei
Wei, Chengkun
Chen, Wenzhi
author_facet Meng, Wenlong
Zhang, Fan
Yao, Wendao
Guo, Zhenyuan
Li, Yuwei
Wei, Chengkun
Chen, Wenzhi
contents Large language models (LLMs) have demonstrated significant utility in a wide range of applications; however, their deployment is plagued by security vulnerabilities, notably jailbreak attacks. These attacks manipulate LLMs to generate harmful or unethical content by crafting adversarial prompts. While much of the current research on jailbreak attacks has focused on single-turn interactions, it has largely overlooked the impact of historical dialogues on model behavior. In this paper, we introduce a novel jailbreak paradigm, Dialogue Injection Attack (DIA), which leverages the dialogue history to enhance the success rates of such attacks. DIA operates in a black-box setting, requiring only access to the chat API or knowledge of the LLM's chat template. We propose two methods for constructing adversarial historical dialogues: one adapts gray-box prefilling attacks, and the other exploits deferred responses. Our experiments show that DIA achieves state-of-the-art attack success rates on recent LLMs, including Llama-3.1 and GPT-4o. Additionally, we demonstrate that DIA can bypass 5 different defense mechanisms, highlighting its robustness and effectiveness.
format Preprint
id arxiv_https___arxiv_org_abs_2503_08195
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Dialogue Injection Attack: Jailbreaking LLMs through Context Manipulation
Meng, Wenlong
Zhang, Fan
Yao, Wendao
Guo, Zhenyuan
Li, Yuwei
Wei, Chengkun
Chen, Wenzhi
Computation and Language
Large language models (LLMs) have demonstrated significant utility in a wide range of applications; however, their deployment is plagued by security vulnerabilities, notably jailbreak attacks. These attacks manipulate LLMs to generate harmful or unethical content by crafting adversarial prompts. While much of the current research on jailbreak attacks has focused on single-turn interactions, it has largely overlooked the impact of historical dialogues on model behavior. In this paper, we introduce a novel jailbreak paradigm, Dialogue Injection Attack (DIA), which leverages the dialogue history to enhance the success rates of such attacks. DIA operates in a black-box setting, requiring only access to the chat API or knowledge of the LLM's chat template. We propose two methods for constructing adversarial historical dialogues: one adapts gray-box prefilling attacks, and the other exploits deferred responses. Our experiments show that DIA achieves state-of-the-art attack success rates on recent LLMs, including Llama-3.1 and GPT-4o. Additionally, we demonstrate that DIA can bypass 5 different defense mechanisms, highlighting its robustness and effectiveness.
title Dialogue Injection Attack: Jailbreaking LLMs through Context Manipulation
topic Computation and Language
url https://arxiv.org/abs/2503.08195