Saved in:
Bibliographic Details
Main Authors: Lin, Liang, Xu, Zhihao, Tang, Xuehai, Liu, Shi, Zhou, Biyu, Zhu, Fuqing, Han, Jizhong, Hu, Songlin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2507.13474
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913948474802176
author Lin, Liang
Xu, Zhihao
Tang, Xuehai
Liu, Shi
Zhou, Biyu
Zhu, Fuqing
Han, Jizhong
Hu, Songlin
author_facet Lin, Liang
Xu, Zhihao
Tang, Xuehai
Liu, Shi
Zhou, Biyu
Zhu, Fuqing
Han, Jizhong
Hu, Songlin
contents The safety of large language models (LLMs) has garnered significant research attention. In this paper, we argue that previous empirical studies demonstrate LLMs exhibit a propensity to trust information from authoritative sources, such as academic papers, implying new possible vulnerabilities. To verify this possibility, a preliminary analysis is designed to illustrate our two findings. Based on this insight, a novel jailbreaking method, Paper Summary Attack (\llmname{PSA}), is proposed. It systematically synthesizes content from either attack-focused or defense-focused LLM safety paper to construct an adversarial prompt template, while strategically infilling harmful query as adversarial payloads within predefined subsections. Extensive experiments show significant vulnerabilities not only in base LLMs, but also in state-of-the-art reasoning model like Deepseek-R1. PSA achieves a 97\% attack success rate (ASR) on well-aligned models like Claude3.5-Sonnet and an even higher 98\% ASR on Deepseek-R1. More intriguingly, our work has further revealed diametrically opposed vulnerability bias across different base models, and even between different versions of the same model, when exposed to either attack-focused or defense-focused papers. This phenomenon potentially indicates future research clues for both adversarial methodologies and safety alignment.Code is available at https://github.com/233liang/Paper-Summary-Attack
format Preprint
id arxiv_https___arxiv_org_abs_2507_13474
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Paper Summary Attack: Jailbreaking LLMs through LLM Safety Papers
Lin, Liang
Xu, Zhihao
Tang, Xuehai
Liu, Shi
Zhou, Biyu
Zhu, Fuqing
Han, Jizhong
Hu, Songlin
Computation and Language
The safety of large language models (LLMs) has garnered significant research attention. In this paper, we argue that previous empirical studies demonstrate LLMs exhibit a propensity to trust information from authoritative sources, such as academic papers, implying new possible vulnerabilities. To verify this possibility, a preliminary analysis is designed to illustrate our two findings. Based on this insight, a novel jailbreaking method, Paper Summary Attack (\llmname{PSA}), is proposed. It systematically synthesizes content from either attack-focused or defense-focused LLM safety paper to construct an adversarial prompt template, while strategically infilling harmful query as adversarial payloads within predefined subsections. Extensive experiments show significant vulnerabilities not only in base LLMs, but also in state-of-the-art reasoning model like Deepseek-R1. PSA achieves a 97\% attack success rate (ASR) on well-aligned models like Claude3.5-Sonnet and an even higher 98\% ASR on Deepseek-R1. More intriguingly, our work has further revealed diametrically opposed vulnerability bias across different base models, and even between different versions of the same model, when exposed to either attack-focused or defense-focused papers. This phenomenon potentially indicates future research clues for both adversarial methodologies and safety alignment.Code is available at https://github.com/233liang/Paper-Summary-Attack
title Paper Summary Attack: Jailbreaking LLMs through LLM Safety Papers
topic Computation and Language
url https://arxiv.org/abs/2507.13474