Saved in:
Bibliographic Details
Main Authors: Wang, Xiangwen, Balashankar, Ananth, Chandrasekaran, Varun
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.11149
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915873477885952
author Wang, Xiangwen
Balashankar, Ananth
Chandrasekaran, Varun
author_facet Wang, Xiangwen
Balashankar, Ananth
Chandrasekaran, Varun
contents Large language models remain vulnerable to jailbreak attacks, yet we still lack a systematic understanding of how jailbreak success scales with attacker effort across methods, model families, and harm types. We initiate a scaling-law framework for jailbreaks by treating each attack as a compute-bounded optimization procedure and measuring progress on a shared FLOPs axis. Our systematic evaluation spans four representative jailbreak paradigms, covering optimization-based attacks, self-refinement prompting, sampling-based selection, and genetic optimization, across multiple model families and scales on a diverse set of harmful goals. We investigate scaling laws that relate attacker budget to attack success score by fitting a simple saturating exponential function to FLOPs--success trajectories, and we derive comparable efficiency summaries from the fitted curves. Empirically, prompting-based paradigms tend to be the most compute-efficient compared to optimization-based methods. To explain this gap, we cast prompt-based updates into an optimization view and show via a same-state comparison that prompt-based attacks more effectively optimize in prompt space. We also show that attacks occupy distinct success--stealthiness operating points with prompting-based methods occupying the high-success, high-stealth region. Finally, we find that vulnerability is strongly goal-dependent: harms involving misinformation are typically easier to elicit than other non-misinformation harms.
format Preprint
id arxiv_https___arxiv_org_abs_2603_11149
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Systematic Scaling Analysis of Jailbreak Attacks in Large Language Models
Wang, Xiangwen
Balashankar, Ananth
Chandrasekaran, Varun
Machine Learning
Cryptography and Security
Large language models remain vulnerable to jailbreak attacks, yet we still lack a systematic understanding of how jailbreak success scales with attacker effort across methods, model families, and harm types. We initiate a scaling-law framework for jailbreaks by treating each attack as a compute-bounded optimization procedure and measuring progress on a shared FLOPs axis. Our systematic evaluation spans four representative jailbreak paradigms, covering optimization-based attacks, self-refinement prompting, sampling-based selection, and genetic optimization, across multiple model families and scales on a diverse set of harmful goals. We investigate scaling laws that relate attacker budget to attack success score by fitting a simple saturating exponential function to FLOPs--success trajectories, and we derive comparable efficiency summaries from the fitted curves. Empirically, prompting-based paradigms tend to be the most compute-efficient compared to optimization-based methods. To explain this gap, we cast prompt-based updates into an optimization view and show via a same-state comparison that prompt-based attacks more effectively optimize in prompt space. We also show that attacks occupy distinct success--stealthiness operating points with prompting-based methods occupying the high-success, high-stealth region. Finally, we find that vulnerability is strongly goal-dependent: harms involving misinformation are typically easier to elicit than other non-misinformation harms.
title Systematic Scaling Analysis of Jailbreak Attacks in Large Language Models
topic Machine Learning
Cryptography and Security
url https://arxiv.org/abs/2603.11149