Saved in:
Bibliographic Details
Main Authors: Li, Jindong, Liu, Ying, Fu, Yali, Zhu, Jinjing, Wang, Leyao, Yang, Menglin, Ying, Rex
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.00974
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909009681842176
author Li, Jindong
Liu, Ying
Fu, Yali
Zhu, Jinjing
Wang, Leyao
Yang, Menglin
Ying, Rex
author_facet Li, Jindong
Liu, Ying
Fu, Yali
Zhu, Jinjing
Wang, Leyao
Yang, Menglin
Ying, Rex
contents LLMs are increasingly equipped with safety alignment mechanisms, yet recent studies demonstrate that they remain vulnerable to jailbreaking attacks that elicit harmful behaviors without explicit policy violations. While a growing body of work has explored automated jailbreak strategies, existing methods face several fundamental challenges, including the lack of systematic utilization of both successful and failed attack experiences, as well as the absence of principled mechanisms for composing and selecting reusable attack rules under diverse constraints. As a result, existing methods struggle to accumulate transferable knowledge over time and to reliably adapt attack strategies across different targets and evolving safety mechanisms. To address these issues, we propose a Self-Evolving Rule-Driven Training-Free Jailbreak (SRTJ) framework that systematically discovers, composes, and refines attack strategies through interaction and feedback, without updating model parameters. Specifically, SRTJ couples experience-driven attack generation with answer set programming (ASP)-based rule selection and constraint-aware composition, where iterative verifier feedback is leveraged to jointly refine successful strategies and analyze failure patterns. The resulting rule memory evolves in a hierarchical multi-level manner, explicitly organizing distilled attack knowledge into long-term, middle-term, and short-term rules, thereby capturing both stable transferable strategies and transient adaptive behaviors to effectively balance exploration and exploitation across attack attempts. Extensive experiments on mainstream jailbreak benchmark (HarmBench) demonstrate that SRTJ achieves strong and stable attack performance across different target LLMs, while exhibiting improved robustness and generalization compared to existing jailbreak methods. The code is available at https://github.com/TheSolkatt/SRTJ.
format Preprint
id arxiv_https___arxiv_org_abs_2605_00974
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SRTJ: Self-Evolving Rule-Driven Training-Free LLM Jailbreaking
Li, Jindong
Liu, Ying
Fu, Yali
Zhu, Jinjing
Wang, Leyao
Yang, Menglin
Ying, Rex
Cryptography and Security
Computation and Language
LLMs are increasingly equipped with safety alignment mechanisms, yet recent studies demonstrate that they remain vulnerable to jailbreaking attacks that elicit harmful behaviors without explicit policy violations. While a growing body of work has explored automated jailbreak strategies, existing methods face several fundamental challenges, including the lack of systematic utilization of both successful and failed attack experiences, as well as the absence of principled mechanisms for composing and selecting reusable attack rules under diverse constraints. As a result, existing methods struggle to accumulate transferable knowledge over time and to reliably adapt attack strategies across different targets and evolving safety mechanisms. To address these issues, we propose a Self-Evolving Rule-Driven Training-Free Jailbreak (SRTJ) framework that systematically discovers, composes, and refines attack strategies through interaction and feedback, without updating model parameters. Specifically, SRTJ couples experience-driven attack generation with answer set programming (ASP)-based rule selection and constraint-aware composition, where iterative verifier feedback is leveraged to jointly refine successful strategies and analyze failure patterns. The resulting rule memory evolves in a hierarchical multi-level manner, explicitly organizing distilled attack knowledge into long-term, middle-term, and short-term rules, thereby capturing both stable transferable strategies and transient adaptive behaviors to effectively balance exploration and exploitation across attack attempts. Extensive experiments on mainstream jailbreak benchmark (HarmBench) demonstrate that SRTJ achieves strong and stable attack performance across different target LLMs, while exhibiting improved robustness and generalization compared to existing jailbreak methods. The code is available at https://github.com/TheSolkatt/SRTJ.
title SRTJ: Self-Evolving Rule-Driven Training-Free LLM Jailbreaking
topic Cryptography and Security
Computation and Language
url https://arxiv.org/abs/2605.00974