Attention-Aware GNN-based Input Defense against Multi-Turn LLM Jailbreak

TL;DR

This paper presents G-Guard, a novel attention-aware GNN-based classifier that effectively detects multi-turn jailbreak attacks on LLMs by modeling query relationships and incorporating relevant single-turn queries.

Contribution

Introduction of G-Guard, a GNN-based input classifier with attention-aware augmentation to defend against complex multi-turn jailbreak attacks on LLMs.

Findings

G-Guard outperforms baseline methods across multiple datasets.

The entity graph captures inter-query relationships effectively.

Attention-aware augmentation improves detection accuracy.

Abstract

Large Language Models (LLMs) have gained significant traction in various applications, yet their capabilities present risks for both constructive and malicious exploitation. Despite extensive training and fine-tuning efforts aimed at enhancing safety, LLMs remain susceptible to jailbreak attacks. Recently, the emergence of multi-turn attacks has intensified this vulnerability. Unlike single-turn attacks, multi-turn attacks incrementally escalate dialogue complexity, rendering them more challenging to detect and mitigate. In this study, we introduce G-Guard, an innovative attention-aware Graph Neural Network (GNN)-based input classifier specifically designed to defend against multi-turn jailbreak attacks targeting LLMs. G-Guard constructs an entity graph for multi-turn queries, which captures the interrelationships between queries and harmful keywords that present in multi-turn queries. Furthermore, we propose an attention-aware augmentation mechanism that retrieves the most relevant single-turn query based on the ongoing multi-turn conversation. The retrieved query is incorporated as a labeled node within the graph, thereby enhancing the GNN's capacity to classify the current query as harmful or benign. Evaluation results show that G-Guard consistently outperforms all baselines across diverse datasets and evaluation metrics, demonstrating its efficacy as a robust defense mechanism against multi-turn jailbreak attacks.