From static to adaptive: immune memory-based jailbreak detection for large language models

TL;DR

This paper introduces IMAG, an immune memory-inspired adaptive framework for detecting and mitigating jailbreak attacks on large language models, improving robustness and adaptability over static methods.

Contribution

The paper proposes a novel immune memory-based framework that enables LLMs to adaptively detect and respond to evolving jailbreak attacks, surpassing static detection methods.

Findings

Achieves 94% average detection accuracy across diverse attacks

Outperforms state-of-the-art static detection baselines

Demonstrates effective adaptive defense in multiple LLMs

Abstract

Large Language Models (LLMs) serve as the backbone of modern AI systems, yet they remain susceptible to adversarial jailbreak attacks. Consequently, robust detection of such malicious inputs is paramount for ensuring model safety. Traditional detection methods typically rely on external models trained on fixed, large-scale datasets, which often incur significant computational overhead. While recent methods shift toward leveraging internal safety signals of models to enable more lightweight and efficient detection. However, these methods remain inherently static and struggle to adapt to the evolving nature of jailbreak attacks. Drawing inspiration from the biological immune mechanism, we introduce the Immune Memory Adaptive Guard (IMAG) framework. By distilling and encoding safety patterns into a persistent, evolvable memory bank, IMAG enables adaptive generalization to emerging threats. Specifically, the framework orchestrates three synergistic components: Immune Detection, which employs retrieval for high-efficiency interception of known jailbreak attacks; Active Immunity, which performs proactive behavioral simulation to resolve ambiguous unknown queries; Memory Updating, which integrates validated attack patterns back into the memory bank. This closed-loop architecture transitions LLM defense from rigid filtering to autonomous adaptive mitigation. Extensive evaluations across five representative open-source LLMs demonstrate that our method surpasses state-of-the-art (SOTA) baselines, achieving a superior average detection accuracy of 94\% across diverse and complex attack types.