Evaluating Multi-Agent Defences Against Jailbreaking Attacks on Large Language Models

TL;DR

This paper explores the use of multi-agent large language model systems as a defense mechanism against jailbreaking attacks, demonstrating improved resistance but also highlighting limitations and trade-offs involved.

Contribution

It introduces a multi-agent approach to defend against jailbreaking attacks on LLMs and evaluates its effectiveness across different attack strategies.

Findings

Multi-agent systems improve resistance to jailbreaking attacks.

They reduce false negatives but may increase false positives.

Trade-offs include higher computational costs.

Abstract

Recent advances in large language models (LLMs) have raised concerns about jailbreaking attacks, i.e., prompts that bypass safety mechanisms. This paper investigates the use of multi-agent LLM systems as a defence against such attacks. We evaluate three jailbreaking strategies, including the original AutoDefense attack and two from Deepleaps: BetterDan and JB. Reproducing the AutoDefense framework, we compare single-agent setups with two- and three-agent configurations. Our results show that multi-agent systems enhance resistance to jailbreaks, especially by reducing false negatives. However, its effectiveness varies by attack type, and it introduces trade-offs such as increased false positives and computational overhead. These findings point to the limitations of current automated defences and suggest directions for improving alignment robustness in future LLM systems.