SoK: Robustness in Large Language Models against Jailbreak Attacks

TL;DR

This paper systematically reviews jailbreak attacks on large language models, introduces a comprehensive evaluation framework called Security Cube, and benchmarks existing attacks and defenses to identify key challenges and future directions.

Contribution

It presents a unified, multi-dimensional framework for evaluating LLM security against jailbreaks and provides benchmark studies on numerous attacks and defenses.

Findings

Benchmarking reveals strengths and weaknesses of current defenses.

Identifies open challenges in LLM robustness and interpretability.

Provides a comprehensive taxonomy and evaluation framework.

Abstract

Large Language Models (LLMs) have achieved remarkable success but remain highly susceptible to jailbreak attacks, in which adversarial prompts coerce models into generating harmful, unethical, or policy-violating outputs. Such attacks pose real-world risks, eroding safety, trust, and regulatory compliance in high-stakes applications. Although a variety of attack and defense methods have been proposed, existing evaluation practices are inadequate, often relying on narrow metrics like attack success rate that fail to capture the multidimensional nature of LLM security. In this paper, we present a systematic taxonomy of jailbreak attacks and defenses and introduce Security Cube, a unified, multi-dimensional framework for comprehensive evaluation of these techniques. We provide detailed comparison tables of existing attacks and defenses, highlighting key insights and open challenges across the literature. Leveraging Security Cube, we conduct benchmark studies on 13 representative attacks and 5 defenses, establishing a clear view of the current landscape encompassing jailbreak attacks, defenses, automated judges, and LLM vulnerabilities. Based on these evaluations, we distill critical findings, identify unresolved problems, and outline promising research directions for enhancing LLM robustness against jailbreak attacks. Our analysis aims to pave the way towards more robust, interpretable, and trustworthy LLM systems. Our code is available at Code.