How Real is Your Jailbreak? Fine-grained Jailbreak Evaluation with Anchored Reference

TL;DR

This paper introduces FJAR, a fine-grained evaluation framework for jailbreak attacks on LLMs that uses anchored references and response categorization to improve accuracy over coarse methods.

Contribution

FJAR is a novel framework that employs a detailed response categorization and a harmless tree decomposition to better evaluate jailbreak success and failure modes.

Findings

FJAR aligns closely with human judgment in jailbreak evaluation.

It effectively identifies root causes of jailbreak failures.

Provides actionable insights for improving attack strategies.

Abstract

Jailbreak attacks present a significant challenge to the safety of Large Language Models (LLMs), yet current automated evaluation methods largely rely on coarse classifications that focus mainly on harmfulness, leading to substantial overestimation of attack success. To address this problem, we propose FJAR, a fine-grained jailbreak evaluation framework with anchored references. We first categorized jailbreak responses into five fine-grained categories: Rejective, Irrelevant, Unhelpful, Incorrect, and Successful, based on the degree to which the response addresses the malicious intent of the query. This categorization serves as the basis for FJAR. Then, we introduce a novel harmless tree decomposition approach to construct high-quality anchored references by breaking down the original queries. These references guide the evaluator in determining whether the response genuinely fulfills the original query. Extensive experiments demonstrate that FJAR achieves the highest alignment with human judgment and effectively identifies the root causes of jailbreak failures, providing actionable guidance for improving attack strategies.