Not All Tokens Are Created Equal: Query-Efficient Jailbreak Fuzzing for LLMs

TL;DR

This paper introduces TriageFuzz, a token-aware jailbreak fuzzing framework for LLMs that uses surrogate models to efficiently identify prompt regions causing refusals, significantly reducing query costs while maintaining high attack success rates.

Contribution

It presents a novel token-level analysis of refusal behavior and a surrogate-based, token-aware fuzzing approach that improves attack efficiency against LLMs.

Findings

Achieves 90% attack success rate with 70% fewer queries.

Outperforms existing methods under strict query budgets.

Demonstrates cross-model consistency in refusal tendencies.

Abstract

Large Language Models(LLMs) are widely deployed, yet are vulnerable to jailbreak prompts that elicit policy-violating outputs. Although prior studies have uncovered these risks, they typically treat all tokens as equally important during prompt mutation, overlooking the varying contributions of individual tokens to triggering model refusals. Consequently, these attacks introduce substantial redundant searching under query-constrained scenarios, reducing attack efficiency and hindering comprehensive vulnerability assessment. In this work, we conduct a token-level analysis of refusal behavior and observe that token contributions are highly skewed rather than uniform. Moreover, we find strong cross-model consistency in refusal tendencies, enabling the use of a surrogate model to estimate token-level contributions to the target model's refusals. Motivated by these findings, we propose TriageFuzz, a token-aware jailbreak fuzzing framework that adapts the fuzz testing approach with a series of customized designs. TriageFuzz leverages a surrogate model to estimate the contribution of individual tokens to refusal behaviors, enabling the identification of sensitive regions within the prompt. Furthermore, it incorporates a refusal-guided evolutionary strategy that adaptively weights candidate prompts with a lightweight scorer to steer the evolution toward bypassing safety constraints. Extensive experiments on six open-source LLMs and three commercial APIs demonstrate that TriageFuzz achieves comparable attack success rates (ASR) with significantly reduced query costs. Notably, it attains a 90% ASR with over 70% fewer queries compared to baselines. Even under an extremely restrictive budget of 25 queries, TriageFuzz outperforms existing methods, improving ASR by 20-40%.