Saved in:
Bibliographic Details
Main Authors: Kaneko, Masahiro, Talat, Zeerak, Baldwin, Timothy
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.17006
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909857000456192
author Kaneko, Masahiro
Talat, Zeerak
Baldwin, Timothy
author_facet Kaneko, Masahiro
Talat, Zeerak
Baldwin, Timothy
contents Iterative jailbreak methods that repeatedly rewrite and input prompts into large language models (LLMs) to induce harmful outputs -- using the model's previous responses to guide each new iteration -- have been found to be a highly effective attack strategy. Despite being an effective attack strategy against LLMs and their safety mechanisms, existing defenses do not proactively disrupt this dynamic trial-and-error cycle. In this study, we propose a novel framework that dynamically updates its defense strategy through online learning in response to each new prompt from iterative jailbreak methods. Leveraging the distinctions between harmful jailbreak-generated prompts and typical harmless prompts, we introduce a reinforcement learning-based approach that optimizes prompts to ensure appropriate responses for harmless tasks while explicitly rejecting harmful prompts. Additionally, to curb overfitting to the narrow band of partial input rewrites explored during an attack, we introduce Past-Direction Gradient Damping (PDGD). Experiments conducted on three LLMs show that our approach significantly outperforms five existing defense methods against five iterative jailbreak methods. Moreover, our results indicate that our prompt optimization strategy simultaneously enhances response quality for harmless tasks.
format Preprint
id arxiv_https___arxiv_org_abs_2510_17006
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Online Learning Defense against Iterative Jailbreak Attacks via Prompt Optimization
Kaneko, Masahiro
Talat, Zeerak
Baldwin, Timothy
Computation and Language
Iterative jailbreak methods that repeatedly rewrite and input prompts into large language models (LLMs) to induce harmful outputs -- using the model's previous responses to guide each new iteration -- have been found to be a highly effective attack strategy. Despite being an effective attack strategy against LLMs and their safety mechanisms, existing defenses do not proactively disrupt this dynamic trial-and-error cycle. In this study, we propose a novel framework that dynamically updates its defense strategy through online learning in response to each new prompt from iterative jailbreak methods. Leveraging the distinctions between harmful jailbreak-generated prompts and typical harmless prompts, we introduce a reinforcement learning-based approach that optimizes prompts to ensure appropriate responses for harmless tasks while explicitly rejecting harmful prompts. Additionally, to curb overfitting to the narrow band of partial input rewrites explored during an attack, we introduce Past-Direction Gradient Damping (PDGD). Experiments conducted on three LLMs show that our approach significantly outperforms five existing defense methods against five iterative jailbreak methods. Moreover, our results indicate that our prompt optimization strategy simultaneously enhances response quality for harmless tasks.
title Online Learning Defense against Iterative Jailbreak Attacks via Prompt Optimization
topic Computation and Language
url https://arxiv.org/abs/2510.17006