AutoAdv: Automated Adversarial Prompting for Multi-Turn Jailbreaking of Large Language Models

TL;DR

AutoAdv introduces an automated, multi-turn adversarial prompting framework that systematically uncovers vulnerabilities in large language models' safety mechanisms, revealing high success rates of jailbreak attacks across popular models.

Contribution

The paper presents a novel automated multi-turn attack methodology that iteratively refines prompts to expose safety vulnerabilities in LLMs, advancing adversarial testing techniques.

Findings

Achieved up to 86% success rate in jailbreak attacks.

Revealed significant safety vulnerabilities in state-of-the-art LLMs.

Demonstrated effectiveness of automated multi-turn prompting in adversarial evaluation.

Abstract

Large Language Models (LLMs) continue to exhibit vulnerabilities to jailbreaking attacks: carefully crafted malicious inputs intended to circumvent safety guardrails and elicit harmful responses. As such, we present AutoAdv, a novel framework that automates adversarial prompt generation to systematically evaluate and expose vulnerabilities in LLM safety mechanisms. Our approach leverages a parametric attacker LLM to produce semantically disguised malicious prompts through strategic rewriting techniques, specialized system prompts, and optimized hyperparameter configurations. The primary contribution of our work is a dynamic, multi-turn attack methodology that analyzes failed jailbreak attempts and iteratively generates refined follow-up prompts, leveraging techniques such as roleplaying, misdirection, and contextual manipulation. We quantitatively evaluate attack success rate (ASR) using the StrongREJECT (arXiv:2402.10260 [cs.CL]) framework across sequential interaction turns. Through extensive empirical evaluation of state-of-the-art models--including ChatGPT, Llama, and DeepSeek--we reveal significant vulnerabilities, with our automated attacks achieving jailbreak success rates of up to 86% for harmful content generation. Our findings reveal that current safety mechanisms remain susceptible to sophisticated multi-turn attacks, emphasizing the urgent need for more robust defense strategies.