Saved in:
Bibliographic Details
Main Authors: Zhang, Yihao, Wang, Kai, Wu, Jiangrong, Wu, Haolin, Zhou, Yuxuan, Wei, Zeming, Wu, Dongxian, Chen, Xun, Sun, Jun, Sun, Meng
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.11309
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908959960465408
author Zhang, Yihao
Wang, Kai
Wu, Jiangrong
Wu, Haolin
Zhou, Yuxuan
Wei, Zeming
Wu, Dongxian
Chen, Xun
Sun, Jun
Sun, Meng
author_facet Zhang, Yihao
Wang, Kai
Wu, Jiangrong
Wu, Haolin
Zhou, Yuxuan
Wei, Zeming
Wu, Dongxian
Chen, Xun
Sun, Jun
Sun, Meng
contents Large Language Models (LLMs) face prominent security risks from jailbreaking, a practice that manipulates models to bypass built-in security constraints and generate unethical or unsafe content. Among various jailbreak techniques, multi-turn jailbreak attacks are more covert and persistent than single-turn counterparts, exposing critical vulnerabilities of LLMs. However, existing multi-turn jailbreak methods suffer from two fundamental limitations that affect the actual impact in real-world scenarios: (a) As models become more context-aware, any explicit harmful trigger is increasingly likely to be flagged and blocked; (b) Successful final-step triggers often require finely tuned, model-specific contexts, making such attacks highly context-dependent. To fill this gap, we propose \textit{Salami Slicing Risk}, which operates by chaining numerous low-risk inputs that individually evade alignment thresholds but cumulatively accumulate harmful intent to ultimately trigger high-risk behaviors, without heavy reliance on pre-designed contextual structures. Building on this risk, we develop Salami Attack, an automatic framework universally applicable to multiple model types and modalities. Rigorous experiments demonstrate its state-of-the-art performance across diverse models and modalities, achieving over 90\% Attack Success Rate on GPT-4o and Gemini, as well as robustness against real-world alignment defenses. We also proposed a defense strategy to constrain the Salami Attack by at least 44.8\% while achieving a maximum blocking rate of 64.8\% against other multi-turn jailbreak attacks. Our findings provide critical insights into the pervasive risks of multi-turn jailbreaking and offer actionable mitigation strategies to enhance LLM security.
format Preprint
id arxiv_https___arxiv_org_abs_2604_11309
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle The Salami Slicing Threat: Exploiting Cumulative Risks in LLM Systems
Zhang, Yihao
Wang, Kai
Wu, Jiangrong
Wu, Haolin
Zhou, Yuxuan
Wei, Zeming
Wu, Dongxian
Chen, Xun
Sun, Jun
Sun, Meng
Cryptography and Security
Artificial Intelligence
Computation and Language
Computer Vision and Pattern Recognition
Machine Learning
Large Language Models (LLMs) face prominent security risks from jailbreaking, a practice that manipulates models to bypass built-in security constraints and generate unethical or unsafe content. Among various jailbreak techniques, multi-turn jailbreak attacks are more covert and persistent than single-turn counterparts, exposing critical vulnerabilities of LLMs. However, existing multi-turn jailbreak methods suffer from two fundamental limitations that affect the actual impact in real-world scenarios: (a) As models become more context-aware, any explicit harmful trigger is increasingly likely to be flagged and blocked; (b) Successful final-step triggers often require finely tuned, model-specific contexts, making such attacks highly context-dependent. To fill this gap, we propose \textit{Salami Slicing Risk}, which operates by chaining numerous low-risk inputs that individually evade alignment thresholds but cumulatively accumulate harmful intent to ultimately trigger high-risk behaviors, without heavy reliance on pre-designed contextual structures. Building on this risk, we develop Salami Attack, an automatic framework universally applicable to multiple model types and modalities. Rigorous experiments demonstrate its state-of-the-art performance across diverse models and modalities, achieving over 90\% Attack Success Rate on GPT-4o and Gemini, as well as robustness against real-world alignment defenses. We also proposed a defense strategy to constrain the Salami Attack by at least 44.8\% while achieving a maximum blocking rate of 64.8\% against other multi-turn jailbreak attacks. Our findings provide critical insights into the pervasive risks of multi-turn jailbreaking and offer actionable mitigation strategies to enhance LLM security.
title The Salami Slicing Threat: Exploiting Cumulative Risks in LLM Systems
topic Cryptography and Security
Artificial Intelligence
Computation and Language
Computer Vision and Pattern Recognition
Machine Learning
url https://arxiv.org/abs/2604.11309