Saved in:
Bibliographic Details
Main Authors: Zhang, Junke, Wang, Jianwei, Chen, Sishuo, He, Yizhang, Feng, Qingshuai, Yang, Zhengyi
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.29237
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913169569480704
author Zhang, Junke
Wang, Jianwei
Chen, Sishuo
He, Yizhang
Feng, Qingshuai
Yang, Zhengyi
author_facet Zhang, Junke
Wang, Jianwei
Chen, Sishuo
He, Yizhang
Feng, Qingshuai
Yang, Zhengyi
contents Jailbreak attacks on large language models (LLMs) aim to induce LLMs to produce content that they are expected to refuse. Automated black-box jailbreak generation is especially important for safety evaluation, where the attacker observes only model outputs and needs to automatically search for effective adversarial prompts. Existing black-box jailbreak methods either depend on sample-wise heuristic search or leverage attack experience through accumulating strategy pools or method libraries, lacking a systematic organization and management of attack experience. To mitigate these drawbacks, we propose MemoAttack, a memory-driven black-box jailbreak framework with comprehensive attack memory modeling, evolution, and selection. Specifically, MemoAttack comprises three key designs: (1) Skill-Structured Memory Modeling, which abstracts accumulated attack experience into reusable skill-structured attack memory whose units pair attack skills with templates, evidence, and lifecycle state; (2) Lifecycle-Driven Memory Evolution, which evolves the memory through evidence-based probation, promotion, retirement, reactivation, elimination, and storage cleanup; and (3) Explore-Exploit Balanced Memory Selection, which balances reliable memory reuse with uncertainty-driven exploration via contextual Thompson Sampling. Experiments on AdvBench demonstrate that MemoAttack achieves an average attack success rate of 98.00%, outperforming the strongest baseline by 16.67 percentage points, while reducing request count by 45.9%. Moreover, MemoAttack continuously improves as memory accumulates over more samples.
format Preprint
id arxiv_https___arxiv_org_abs_2605_29237
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Evolving Skill-Structured Attack Memory Enhances LLM Jailbreaking
Zhang, Junke
Wang, Jianwei
Chen, Sishuo
He, Yizhang
Feng, Qingshuai
Yang, Zhengyi
Cryptography and Security
Jailbreak attacks on large language models (LLMs) aim to induce LLMs to produce content that they are expected to refuse. Automated black-box jailbreak generation is especially important for safety evaluation, where the attacker observes only model outputs and needs to automatically search for effective adversarial prompts. Existing black-box jailbreak methods either depend on sample-wise heuristic search or leverage attack experience through accumulating strategy pools or method libraries, lacking a systematic organization and management of attack experience. To mitigate these drawbacks, we propose MemoAttack, a memory-driven black-box jailbreak framework with comprehensive attack memory modeling, evolution, and selection. Specifically, MemoAttack comprises three key designs: (1) Skill-Structured Memory Modeling, which abstracts accumulated attack experience into reusable skill-structured attack memory whose units pair attack skills with templates, evidence, and lifecycle state; (2) Lifecycle-Driven Memory Evolution, which evolves the memory through evidence-based probation, promotion, retirement, reactivation, elimination, and storage cleanup; and (3) Explore-Exploit Balanced Memory Selection, which balances reliable memory reuse with uncertainty-driven exploration via contextual Thompson Sampling. Experiments on AdvBench demonstrate that MemoAttack achieves an average attack success rate of 98.00%, outperforming the strongest baseline by 16.67 percentage points, while reducing request count by 45.9%. Moreover, MemoAttack continuously improves as memory accumulates over more samples.
title Evolving Skill-Structured Attack Memory Enhances LLM Jailbreaking
topic Cryptography and Security
url https://arxiv.org/abs/2605.29237