Structured Semantic Cloaking for Jailbreak Attacks on Large Language Models

TL;DR

This paper introduces Structured Semantic Cloaking (S2C), a novel attack framework that manipulates semantic cues in prompts to evade safety mechanisms in large language models, significantly increasing jailbreak success rates.

Contribution

The paper presents S2C, a multi-dimensional semantic manipulation framework that delays and restructures malicious intent reconstruction during inference, improving attack success rates against LLM safety defenses.

Findings

S2C increases attack success rate by over 12% on HarmBench.

S2C outperforms state-of-the-art methods by up to 26% on JBB-Behaviors.

S2C effectively degrades safety trigger effectiveness while maintaining output recoverability.

Abstract

Modern LLMs employ safety mechanisms that extend beyond surface-level input filtering to latent semantic representations and generation-time reasoning, enabling them to recover obfuscated malicious intent during inference and refuse accordingly, and rendering many surface-level obfuscation jailbreak attacks ineffective. We propose Structured Semantic Cloaking (S2C), a novel multi-dimensional jailbreak attack framework that manipulates how malicious semantic intent is reconstructed during model inference. S2C strategically distributes and reshapes semantic cues such that full intent consolidation requires multi-step inference and long-range co-reference resolution within deeper latent representations. The framework comprises three complementary mechanisms: (1) Contextual Reframing, which embeds the request within a plausible high-stakes scenario to bias the model toward compliance; (2) Content Fragmentation, which disperses the semantic signature of the request across disjoint prompt segments; and (3) Clue-Guided Camouflage, which disguises residual semantic cues while embedding recoverable markers that guide output generation. By delaying and restructuring semantic consolidation, S2C degrades safety triggers that depend on coherent or explicitly reconstructed malicious intent at decoding time, while preserving sufficient instruction recoverability for functional output generation. We evaluate S2C across multiple open-source and proprietary LLMs using HarmBench and JBB-Behaviors, where it improves Attack Success Rate (ASR) by 12.4% and 9.7%, respectively, over the current SOTA. Notably, S2C achieves substantial gains on GPT-5-mini, outperforming the strongest baseline by 26% on JBB-Behaviors. We also analyse which combinations perform best against broad families of models, and characterise the trade-off between the extent of obfuscation versus input recoverability on jailbreak success.