arxiv: 2604.27861 · v1 · submitted 2026-04-30 · 💻 cs.CR · cs.CL· cs.LG

Recognition: unknown

TwinGate: Stateful Defense against Decompositional Jailbreaks in Untraceable Traffic via Asymmetric Contrastive Learning

Bowen Sun , Chaozhuo Li , Yaodong Yang , Yiwei Wang , Chaowei Xiao

Authors on Pith no claims yet

Pith reviewed 2026-05-07 06:03 UTC · model grok-4.3

classification 💻 cs.CR cs.CLcs.LG

keywords decompositional jailbreaksLLM defenseasymmetric contrastive learningstateful detectionuntraceable trafficmalicious fragment clusteringadversarial robustnessdual-encoder architecture

0 comments

The pith

TwinGate detects decompositional jailbreaks in anonymized LLM traffic by clustering malicious fragments with asymmetric contrastive learning while a frozen encoder blocks benign false positives.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Decompositional jailbreaks split a single malicious goal into multiple individually harmless queries that together bypass LLM safeguards, especially in real deployments where requests arrive as an untraceable mix of anonymized, interleaved traffic with no reliable user or session identifiers. TwinGate counters this with a stateful dual-encoder architecture that applies asymmetric contrastive learning to pull intent-matched malicious fragments into a shared latent space even when their surface wording differs, while a parallel frozen encoder keeps common benign topics from triggering alarms. Each incoming request needs only one lightweight forward pass, so the defense runs in parallel with the target model's prefill stage and adds negligible latency. On a dataset of 3.62 million instructions covering 8,600 distinct malicious intents, the system records high malicious-intent recall at low false-positive rates, resists adaptive attacks, and exceeds both stateful and stateless baselines in throughput and speed.

Core claim

TwinGate is a stateful dual-encoder defense framework that employs Asymmetric Contrastive Learning to cluster semantically disparate but intent-matched malicious fragments in a shared latent space, while a parallel frozen encoder suppresses false positives arising from benign topical overlap; each request requires only a single lightweight forward pass, enabling parallel execution with the target model's prefill phase at negligible latency overhead.

What carries the argument

Asymmetric Contrastive Learning (ACL) inside a dual-encoder architecture: one trainable encoder clusters intent-matched malicious fragments across queries, while the frozen encoder distinguishes them from benign topical similarities without requiring user metadata or global history.

If this is right

Defense operates without trustworthy user metadata or the ability to track global historical contexts.
Real-time monitoring incurs only a single lightweight forward pass per request and runs in parallel with the target model's prefill phase.
The system records high malicious-intent recall at low false-positive rates on a corpus of 3.62 million instructions spanning 8,600 intents.
Performance remains robust under adaptive attacks and exceeds both stateful and stateless baselines in throughput and latency.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same clustering approach could be tested on multi-turn conversations that gradually build toward other disallowed outputs such as coordinated misinformation or data-exfiltration sequences.
Because the method needs no per-user history, it may scale directly to public API settings where requests arrive from unrelated sessions.
Combining the dual-encoder filter with existing single-query safety layers could produce a two-stage pipeline whose total latency stays low while coverage widens.
The released dataset of millions of instructions across thousands of intents offers a concrete starting point for standardized benchmarks in sequential LLM attack detection.

Load-bearing premise

Malicious fragments that share an underlying intent can be pulled into tight clusters in latent space by asymmetric contrastive learning even when their wording is semantically different, while the frozen encoder reliably prevents benign queries with topical overlap from being misclassified as malicious, all without any access to user or session metadata.

What would settle it

An experiment that measures whether fragments from the same malicious intent form tighter clusters than benign queries with similar topics under the trained encoders; if the separation collapses or false-positive rates rise sharply on held-out data, the central mechanism fails.

Figures

Figures reproduced from arXiv: 2604.27861 by Bowen Sun, Chaowei Xiao, Chaozhuo Li, Yaodong Yang, Yiwei Wang.

**Figure 1.** Figure 1: The end-to-end workflow of TwinGate. For each incoming request, the system performs dual encoding, stateful view at source ↗

**Figure 2.** Figure 2: Impact of semantic pruning on ACL performance: view at source ↗

**Figure 3.** Figure 3: Recall-FPR trade-off curve of TwinGate compared view at source ↗

**Figure 4.** Figure 4: Comparison of 𝑃99 latency versus throughput (QPS) for TwinGate and three baseline methods (Llama-Guard-3- 8B, Intent-FT, and Window Monitor). 0 1 2 3 4 5 6 7 Database Size (N × 106 ) 200 400 600 800 Total Latency (ms) P99 Latency P95 Latency P50 Latency view at source ↗

**Figure 5.** Figure 5: Latency (𝑃50, 𝑃95, 𝑃99) scaling with database size. The system maintains stable, sub-linear latency growth up to 6 million vectors, followed by a sharp performance degradation at 7 million due to VRAM exhaustion. itself is minimal. Third, within this 6-million-vector operational envelope, the database performance exhibits exceptional stability. The three latency curves remain remarkably flat, showing almo… view at source ↗

**Figure 6.** Figure 6: Relative AUC of the Recall-FPR curve across dif view at source ↗

**Figure 8.** Figure 8: Impact of the number of GCG-poisoned injections view at source ↗

**Figure 9.** Figure 9: Recall-FPR curves for TwinGate against ablation view at source ↗

read the original abstract

Decompositional jailbreaks pose a critical threat to large language models (LLMs) by allowing adversaries to fragment a malicious objective into a sequence of individually benign queries that collectively reconstruct prohibited content. In real-world deployments, LLMs face a continuous, untraceable stream of fully anonymized and arbitrarily interleaved requests, infiltrated by covertly distributed adversarial queries. Under this rigorous threat model, state-of-the-art defensive strategies exhibit fundamental limitations. In the absence of trustworthy user metadata, they are incapable of tracking global historical contexts, while their deployment of generative models for real-time monitoring introduces computationally prohibitive overhead. To address this, we present TwinGate, a stateful dual-encoder defense framework. TwinGate employs Asymmetric Contrastive Learning (ACL) to cluster semantically disparate but intent-matched malicious fragments in a shared latent space, while a parallel frozen encoder suppresses false positives arising from benign topical overlap. Each request requires only a single lightweight forward pass, enabling the defense to execute in parallel with the target model's prefill phase at negligible latency overhead. To evaluate our approach and advance future research, we construct a comprehensive dataset of over 3.62 million instructions spanning 8,600 distinct malicious intents. Evaluated on this large-scale corpus under a strictly causal protocol, TwinGate achieves high malicious intent recall at a remarkably low false positive rate while remaining highly robust against adaptive attacks. Furthermore, our proposal substantially outperforms stateful and stateless baselines, delivering superior throughput and reduced latency.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

TwinGate tries to handle decompositional jailbreaks in untraceable traffic with a contrastive dual-encoder but the key assumptions about latent space clustering need more proof than the abstract gives.

read the letter

TwinGate is an attempt to defend LLMs against decompositional jailbreaks where attackers split a bad request into multiple innocent-looking ones that only make sense together. The setup uses two encoders: one trained with asymmetric contrastive learning to pull together fragments that share malicious intent, and a frozen one to avoid flagging normal queries that happen to touch on similar topics. This lets it work in a stream of anonymous, mixed-up requests without keeping any user history or metadata, and it runs with just one forward pass per query so it doesn't slow things down much. The paper does a decent job spelling out why standard approaches fall short here. Stateful methods usually rely on tracking the same user over time, which isn't possible under this threat model, and using another LLM to monitor is too expensive for real deployments. They also put together a large dataset of 3.62 million instructions covering 8600 intents, which should help with coverage, and they evaluate under a causal protocol that respects the no-future-info rule. The main weakness is that we don't get to see whether the contrastive learning actually creates the tight clusters needed for high recall without raising false positives. The abstract claims strong results and robustness to adaptive attacks, but without any embedding visualizations, distance measurements, or breakdowns of what happens on tricky fragments, it's difficult to judge if the method is really working or if the numbers come from careful dataset construction. The same goes for the outperformance over baselines; more detail on the exact comparisons would help. This is the kind of work that matters for teams trying to secure public LLM APIs where traffic is anonymized and attacks can be interleaved. A reader focused on practical safety mechanisms would get value from the threat model and the low-overhead design, even if they have to wait for stronger experimental backing. I would recommend sending it for peer review. The direction is worth exploring and the gaps are fixable with more analysis on the learned representations.

Referee Report

3 major / 1 minor

Summary. The manuscript introduces TwinGate, a stateful dual-encoder defense framework against decompositional jailbreaks in untraceable LLM traffic. It uses Asymmetric Contrastive Learning (ACL) to cluster semantically disparate but intent-matched malicious fragments in a shared latent space, paired with a frozen encoder to reduce false positives from benign queries. The approach requires only a single lightweight forward pass per request. The authors construct a dataset of over 3.62 million instructions spanning 8,600 malicious intents and claim that, under a strictly causal protocol, TwinGate achieves high malicious intent recall at low false positive rates, robustness to adaptive attacks, and outperforms stateful and stateless baselines in throughput and latency.

Significance. If the results hold, this would represent a meaningful advance in practical defenses for LLMs against sophisticated, history-free jailbreak attacks. The lightweight nature and parallel execution with the target model's prefill phase address real deployment constraints. The large-scale dataset could be a useful resource for the community, provided its construction is fully documented. However, the absence of supporting analyses for the core contrastive learning mechanism limits the immediate impact.

major comments (3)

The abstract states strong performance numbers (high malicious intent recall, low FPR, robustness to adaptive attacks) but supplies no implementation details, quantitative tables, error bars, statistical tests, or description of how the 3.62-million-instruction dataset was constructed or how the causal protocol was enforced. This is load-bearing for the central empirical claims.
The core mechanism relies on asymmetric contrastive learning mapping intent-matched fragments to nearby points in latent space while suppressing benign topical overlap, yet no cluster-separation metrics, embedding visualizations, or distance histograms are provided to validate this geometry on held-out or adaptively generated fragments (see the threat model and ACL description).
The evaluation lacks any direct evidence that the learned clusters remain effective under the strictly causal, metadata-free protocol; without such analysis, the reported superiority over baselines and robustness claims cannot be assessed.

minor comments (1)

Provide pseudocode or a diagram for the dual-encoder forward pass and the exact contrastive loss formulation (temperature, margin, batch construction) to improve reproducibility.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments highlight important areas where additional evidence and clarity will strengthen the manuscript. We address each major comment below and have revised the paper to incorporate the requested supporting analyses, details, and validations.

read point-by-point responses

Referee: The abstract states strong performance numbers (high malicious intent recall, low FPR, robustness to adaptive attacks) but supplies no implementation details, quantitative tables, error bars, statistical tests, or description of how the 3.62-million-instruction dataset was constructed or how the causal protocol was enforced. This is load-bearing for the central empirical claims.

Authors: We agree that the abstract's brevity leaves the central claims without sufficient supporting detail in that section alone. In the revised manuscript we have added a new subsection (4.1) that fully documents the dataset construction process, including the origin of the 8,600 malicious intents, the decomposition procedure, and the filtering steps that produced the 3.62 million instructions. We have also inserted quantitative tables (Table 2) reporting recall, FPR, and throughput with error bars from five independent runs, together with paired statistical significance tests against all baselines. Expanded implementation details for the causal protocol (single-pass, metadata-free processing) and ACL training hyperparameters now appear in Sections 3.2 and 5.1. These additions make the empirical claims directly verifiable. revision: yes
Referee: The core mechanism relies on asymmetric contrastive learning mapping intent-matched fragments to nearby points in latent space while suppressing benign topical overlap, yet no cluster-separation metrics, embedding visualizations, or distance histograms are provided to validate this geometry on held-out or adaptively generated fragments (see the threat model and ACL description).

Authors: We accept that direct geometric validation of the ACL objective was missing. The revised manuscript now includes t-SNE embeddings (new Figure 6) of held-out malicious fragments and benign queries, distance histograms comparing intra-intent versus benign distances, and quantitative metrics (silhouette score, mean intra-cluster distance, and inter-cluster margin) computed on both standard held-out fragments and fragments generated under the adaptive attack model described in Section 2.3. These results are discussed in a new subsection 5.2 and confirm that the asymmetric contrastive loss produces the intended separation while the frozen encoder suppresses topical false positives. revision: yes
Referee: The evaluation lacks any direct evidence that the learned clusters remain effective under the strictly causal, metadata-free protocol; without such analysis, the reported superiority over baselines and robustness claims cannot be assessed.

Authors: We agree that an explicit demonstration of cluster stability under the causal constraint is necessary. We have added an ablation (new Table 4 and Figure 7) that compares TwinGate's stateful dual-encoder performance when operating strictly causally (no history or metadata) against a non-causal oracle that is given full conversation history. The results show that the latent-state tracking maintains high recall and low FPR even without metadata. We further report adaptive-attack results in which adversaries explicitly attempt to produce fragments that would break the learned clusters; recall remains above 92 % at the operating point used in the main experiments. These analyses directly support the superiority and robustness claims under the stated threat model. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper presents TwinGate as an empirical defense framework relying on Asymmetric Contrastive Learning applied to a newly constructed 3.62M-instruction corpus spanning 8,600 intents. No mathematical derivations, equations, or first-principles predictions are described that reduce claimed metrics (recall, FPR, robustness) to quantities defined by the model's own fitted parameters or by self-referential construction. Performance is assessed via external evaluation under a strictly causal protocol against baselines, with the contrastive clustering mechanism treated as a standard applied technique rather than a result derived from the target outcomes. No load-bearing self-citations, uniqueness theorems, or ansatz smuggling are evident in the core claims; the method remains self-contained against the provided benchmarks.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 1 invented entities

Only the abstract is available, so the ledger is necessarily incomplete. The approach rests on standard machine-learning training assumptions plus the domain-specific claim that intent-matched fragments can be clustered without user history.

free parameters (2)

contrastive learning hyperparameters (temperature, margin, batch size)
Standard in contrastive learning but not enumerated; their values would be fitted during training on the malicious-fragment corpus.
encoder architecture and projection head dimensions
Chosen to enable the asymmetric contrastive objective; not specified in abstract.

axioms (2)

domain assumption Asymmetric contrastive learning can map semantically disparate but intent-matched malicious fragments into nearby points in latent space while a frozen encoder separates benign topical overlap.
This is the central mechanistic claim of the method and is invoked to justify both the clustering and false-positive suppression.
domain assumption A single lightweight forward pass per request suffices for real-time detection in parallel with the target LLM prefill phase.
Assumed to deliver negligible latency overhead under the stated threat model.

invented entities (1)

TwinGate dual-encoder framework no independent evidence
purpose: Stateful detection of decompositional jailbreaks without user metadata
New system architecture introduced to solve the untraceable-traffic constraint.

pith-pipeline@v0.9.0 · 5584 in / 1637 out tokens · 75284 ms · 2026-05-07T06:03:54.238516+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

39 extracted references · 34 canonical work pages · 14 internal anchors

[1]

Andy Arditi, Oscar Obeso, Aaquib Syed, Daniel Paleka, Nina Panickssery, Wes Gurnee, and Neel Nanda. 2024. Refusal in Language Models Is Mediated by a Single Direction. arXiv:2406.11717 [cs.LG] https://arxiv.org/abs/2406.11717

work page internal anchor Pith review arXiv 2024
[2]

Sahil Chaudhary. 2023. Code Alpaca: An Instruction-following LLaMA model for code generation. https://github.com/sahil280114/codealpaca

2023
[3]

2023.Free Dolly: Introducing the World’s First Truly Open Instruction- Tuned LLM

Mike Conover, Matt Hayes, Ankit Mathur, Jianwei Xie, Jun Wan, Sam Shah, Ali Ghodsi, Patrick Wendell, Matei Zaharia, and Reynold Xin. 2023.Free Dolly: Introducing the World’s First Truly Open Instruction- Tuned LLM. https://www.databricks.com/blog/2023/04/12/dolly-first-open- commercially-viable-instruction-tuned-llm

2023
[4]

Ning Ding, Yulin Chen, Bokai Xu, Yujia Qin, Zhi Zheng, Shengding Hu, Zhiyuan Liu, Maosong Sun, and Bowen Zhou. 2023. Enhancing Chat Language Models by Scaling High-quality Instructional Conversations. arXiv:2305.14233 [cs.CL] https://arxiv.org/abs/2305.14233

work page arXiv 2023
[5]

Matthijs Douze, Alexandr Guzhva, Chengqi Deng, Jeff Johnson, Gergely Szilvasy, Pierre-Emmanuel Mazaré, Maria Lomeli, Lucas Hosseini, and Hervé Jégou. 2025. The Faiss library. arXiv:2401.08281 [cs.LG] https://arxiv.org/abs/2401.08281

work page internal anchor Pith review arXiv 2025
[6]

Length-Controlled AlpacaEval: A Simple Way to Debias Automatic Evaluators

Yann Dubois, Balázs Galambosi, Percy Liang, and Tatsunori B. Hashimoto. 2025. Length-Controlled AlpacaEval: A Simple Way to Debias Automatic Evaluators. arXiv:2404.04475 [cs.LG] https://arxiv.org/abs/2404.04475

work page internal anchor Pith review arXiv 2025
[7]

Aaron Grattafiori, Abhimanyu Dubey, Abhinav Jauhri, Abhinav Pandey, Ab- hishek Kadian, Ahmad Al-Dahle, Aiesha Letman, Akhil Mathur, Alan Schelten, TwinGate: Stateful Defense against Decompositional Jailbreaks in Untraceable Traffic via Asymmetric Contrastive Learning Alex Vaughan, Amy Yang, Angela Fan, Anirudh Goyal, Anthony Hartshorn, Aobo Yang, Archi Mi...

work page internal anchor Pith review arXiv 2024
[8]

Shangding Gu, Long Yang, Yali Du, Guang Chen, Florian Walter, Jun Wang, and Alois Knoll. 2024. A Review of Safe Reinforcement Learning: Methods, Theory and Applications. arXiv:2205.10330 [cs.AI] https://arxiv.org/abs/2205.10330

work page arXiv 2024
[9]

Pengcheng He, Jianfeng Gao, and Weizhu Chen. 2023. DeBERTaV3: Improv- ing DeBERTa using ELECTRA-Style Pre-Training with Gradient-Disentangled Embedding Sharing. arXiv:2111.09543 [cs.CL] https://arxiv.org/abs/2111.09543

work page arXiv 2023
[10]

Pengcheng He, Xiaodong Liu, Jianfeng Gao, and Weizhu Chen. 2021. DeBERTa: Decoding-enhanced BERT with Disentangled Attention. arXiv:2006.03654 [cs.CL] https://arxiv.org/abs/2006.03654

work page internal anchor Pith review arXiv 2021
[11]

Dan Hendrycks and Kevin Gimpel. 2023. Gaussian Error Linear Units (GELUs). arXiv:1606.08415 [cs.LG] https://arxiv.org/abs/1606.08415

work page internal anchor Pith review arXiv 2023
[12]

Hakan Inan, Kartikeya Upasani, Jianfeng Chi, Rashi Rungta, Krithika Iyer, Yuning Mao, Michael Tontchev, Qing Hu, Brian Fuller, Davide Testuggine, and Madian Khabsa. 2023. Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations. arXiv:2312.06674 [cs.CL] https://arxiv.org/abs/2312.06674

work page internal anchor Pith review arXiv 2023
[13]

Jiaming Ji, Mickel Liu, Juntao Dai, Xuehai Pan, Chi Zhang, Ce Bian, Chi Zhang, Ruiyang Sun, Yizhou Wang, and Yaodong Yang. 2023. BeaverTails: To- wards Improved Safety Alignment of LLM via a Human-Preference Dataset. arXiv:2307.04657 [cs.CL] https://arxiv.org/abs/2307.04657

work page arXiv 2023
[14]

Albert Q. Jiang, Alexandre Sablayrolles, Arthur Mensch, Chris Bamford, De- vendra Singh Chaplot, Diego de las Casas, Florian Bressand, Gianna Lengyel, Guillaume Lample, Lucile Saulnier, Lélio Renard Lavaud, Marie-Anne Lachaux, Pierre Stock, Teven Le Scao, Thibaut Lavril, Thomas Wang, Timothée Lacroix, and William El Sayed. 2023. Mistral 7B. arXiv:2310.068...

work page internal anchor Pith review arXiv 2023
[15]

Woosuk Kwon, Zhuohan Li, Siyuan Zhuang, Ying Sheng, Lianmin Zheng, Cody Hao Yu, Joseph Gonzalez, Hao Zhang, and Ion Stoica. 2023. Efficient Memory Management for Large Language Model Serving with PagedAttention. InProceedings of the 29th Symposium on Operating Systems Principles(Koblenz, Germany)(SOSP ’23). Association for Computing Machinery, New York, N...

work page doi:10.1145/3600006.3613165 2023
[16]

Yang Li, Qiang Sheng, Yehan Yang, Xueyao Zhang, and Juan Cao. 2025. From Judgment to Interference: Early Stopping LLM Harmful Outputs via Streaming Content Monitoring. arXiv:2506.09996 [cs.CL] https://arxiv.org/abs/2506.09996

work page arXiv 2025
[17]

Mantas Mazeika, Long Phan, Xuwang Yin, Andy Zou, Zifan Wang, Norman Mu, Elham Sakhaee, Nathaniel Li, Steven Basart, Bo Li, David Forsyth, and Dan Hendrycks. 2024. HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal. arXiv:2402.04249 [cs.LG] https://arxiv.org/abs/2402.04249

work page internal anchor Pith review arXiv 2024
[18]

Long Ouyang, Jeff Wu, Xu Jiang, Diogo Almeida, Carroll L. Wainwright, Pamela Mishkin, Chong Zhang, Sandhini Agarwal, Katarina Slama, Alex Ray, John Schul- man, Jacob Hilton, Fraser Kelton, Luke Miller, Maddie Simens, Amanda Askell, Pe- ter Welinder, Paul Christiano, Jan Leike, and Ryan Lowe. 2022. Training language models to follow instructions with human...

work page internal anchor Pith review arXiv 2022
[19]

Mark Russinovich, Ahmed Salem, and Ronen Eldan. 2025. Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack. arXiv:2404.01833 [cs.CR] https://arxiv.org/abs/2404.01833

work page arXiv 2025
[20]

Alexandra Souly, Qingyuan Lu, Dillon Bowen, Tu Trinh, Elvis Hsieh, Sana Pandey, Pieter Abbeel, Justin Svegliato, Scott Emmons, Olivia Watkins, and Sam Toyer
[21]

A StrongREJECT for Empty Jailbreaks

A StrongREJECT for Empty Jailbreaks. arXiv:2402.10260 [cs.LG] https: //arxiv.org/abs/2402.10260

work page arXiv
[22]

Devansh Srivastav and Xiao Zhang. 2025. Safe in Isolation, Dangerous Together: Agent-Driven Multi-Turn Decomposition Jailbreaks on LLMs. InProceedings of the 1st Workshop for Research on Agent Language Models (REALM 2025), Ehsan Kamalloo, Nicolas Gontier, Xing Han Lu, Nouha Dziri, Shikhar Murty, and Alexan- dre Lacoste (Eds.). Association for Computationa...

work page doi:10.18653/v1/2025.realm-1.13 2025
[23]

Woodland, and Jose Such

Guangzhi Sun, Xiao Zhan, Shutong Feng, Philip C. Woodland, and Jose Such. 2025. CASE-Bench: Context-Aware SafEty Benchmark for Large Language Models. arXiv:2501.14940 [cs.CL] https://arxiv.org/abs/2501.14940

work page arXiv 2025
[24]

Hashimoto

Rohan Taori, Ishaan Gulrajani, Tianyi Zhang, Yann Dubois, Xuechen Li, Carlos Guestrin, Percy Liang, and Tatsunori B. Hashimoto. 2023. Stanford Alpaca: An Instruction-following LLaMA model. https://github.com/tatsu-lab/stanford_ alpaca

2023
[25]

Gomez, Łukasz Kaiser, and Illia Polosukhin

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. InProceedings of the 31st International Conference on Neural Information Processing Systems(Long Beach, California, USA)(NIPS’17). Curran Associates Inc., Red Hook, NY, USA, 6000–6010

2017
[26]

Jianguo Wang, Xiaomeng Yi, Rentong Guo, Hai Jin, Peng Xu, Shengjun Li, Xi- angyu Wang, Xiangzhou Guo, Chengming Li, Xiaohai Xu, Kun Yu, Yuxing Yuan, Yinghao Zou, Jiquan Long, Yudong Cai, Zhenxiang Li, Zhifeng Zhang, Yihua Mo, Jun Gu, Ruiyi Jiang, Yi Wei, and Charles Xie. 2021. Milvus: A Purpose-Built Vector Data Management System. InProceedings of the 202...

work page doi:10.1145/3448016.3457550 2021
[27]

A comprehensive survey in llm (-agent) full stack safety: Data, training and deployment.arXiv preprint arXiv:2504.15585, 2025

Kun Wang, Guibin Zhang, Zhenhong Zhou, Jiahao Wu, Miao Yu, Shiqian Zhao, Chenlong Yin, Jinhu Fu, Yibo Yan, Hanjun Luo, Liang Lin, Zhihao Xu, Haolang Lu, Xinye Cao, Xinyun Zhou, Weifei Jin, Fanci Meng, Shicheng Xu, Junyuan Mao, Yu Wang, Hao Wu, Minghe Wang, Fan Zhang, Junfeng Fang, Wenjie Qu, Yue Liu, Chengwei Liu, Yifan Zhang, Qiankun Li, Chongye Guo, Yal...

work page arXiv 2025
[28]

Peiran Wang, Xiaogeng Liu, and Chaowei Xiao. 2024. RePD: Defending Jailbreak Attack through a Retrieval-based Prompt Decomposition Process. arXiv:2410.08660 [cs.CR] https://arxiv.org/abs/2410.08660

work page arXiv 2024
[29]

Rongzhe Wei, Peizhi Niu, Xinjie Shen, Tony Tu, Yifan Li, Ruihan Wu, Eli Chien, Pin-Yu Chen, Olgica Milenkovic, and Pan Li. 2025. The Trojan Knowledge: By- passing Commercial LLM Guardrails via Harmless Prompt Weaving and Adaptive Tree Search. arXiv:2512.01353 [cs.CR] https://arxiv.org/abs/2512.01353

work page arXiv 2025
[30]

Yuan Xin, Dingfan Chen, Linyi Yang, Michael Backes, and Xiao Zhang. 2025. Jailbreaking Attacks vs. Content Safety Filters: How Far Are We in the LLM Safety Arms Race? arXiv:2512.24044 [cs.CR] https://arxiv.org/abs/2512.24044

work page arXiv 2025
[31]

Can Xu, Qingfeng Sun, Kai Zheng, Xiubo Geng, Pu Zhao, Jiazhan Feng, Chongyang Tao, Qingwei Lin, and Daxin Jiang. 2025. WizardLM: Em- powering large pre-trained language models to follow complex instructions. arXiv:2304.12244 [cs.CL] https://arxiv.org/abs/2304.12244

work page internal anchor Pith review arXiv 2025
[32]

Zhangchen Xu, Fengqing Jiang, Luyao Niu, Yuntian Deng, Radha Poovendran, Yejin Choi, and Bill Yuchen Lin. 2024. Magpie: Alignment Data Synthesis from Scratch by Prompting Aligned LLMs with Nothing. arXiv:2406.08464 [cs.CL] https://arxiv.org/abs/2406.08464

work page arXiv 2024
[33]

Zihao Xu, Yi Liu, Gelei Deng, Yuekang Li, and Stjepan Picek. 2024. A Compre- hensive Study of Jailbreak Attack versus Defense for Large Language Models. In Findings of the Association for Computational Linguistics: ACL 2024, Lun-Wei Ku, Andre Martins, and Vivek Srikumar (Eds.). Association for Computational Lin- guistics, Bangkok, Thailand, 7432–7449. doi...

work page doi:10.18653/v1/2024.findings-acl.443 2024
[34]

An Yang, Anfeng Li, Baosong Yang, Beichen Zhang, Binyuan Hui, Bo Zheng, Bowen Yu, Chang Gao, Chengen Huang, Chenxu Lv, Chujie Zheng, Dayiheng Liu, Fan Zhou, Fei Huang, Feng Hu, Hao Ge, Haoran Wei, Huan Lin, Jialong Tang, Jian Yang, Jianhong Tu, Jianwei Zhang, Jianxin Yang, Jiaxi Yang, Jing Zhou, Jingren Zhou, Junyang Lin, Kai Dang, Keqin Bao, Kexin Yang, ...

work page internal anchor Pith review arXiv 2025
[35]

Sibo Yi, Yule Liu, Zhen Sun, Tianshuo Cong, Xinlei He, Jiaxing Song, Ke Xu, and Qi Li. 2024. Jailbreak Attacks and Defenses Against Large Language Models: A Survey. arXiv:2407.04295 [cs.CR] https://arxiv.org/abs/2407.04295

work page internal anchor Pith review arXiv 2024
[36]

Chen Yueh-Han, Nitish Joshi, Yulin Chen, Maksym Andriushchenko, Rico Angell, and He He. 2025. Monitoring Decomposition Attacks in LLMs with Lightweight Sequential Monitors. arXiv:2506.10949 [cs.CR] https://arxiv.org/abs/2506.10949

work page arXiv 2025
[37]

Yuqi Zhang, Liang Ding, Lefei Zhang, and Dacheng Tao. 2024. Intention Analysis Makes LLMs A Good Jailbreak Defender. arXiv:2401.06561 [cs.CL] https://arxiv. org/abs/2401.06561

work page arXiv 2024
[38]

Zheng, W.-L

Lianmin Zheng, Wei-Lin Chiang, Ying Sheng, Tianle Li, Siyuan Zhuang, Zhang- hao Wu, Yonghao Zhuang, Zhuohan Li, Zi Lin, Eric P. Xing, Joseph E. Gonzalez, Ion Stoica, and Hao Zhang. 2024. LMSYS-Chat-1M: A Large-Scale Real-World LLM Conversation Dataset. arXiv:2309.11998 [cs.CL] https://arxiv.org/abs/2309. 11998

work page arXiv 2024
[39]

Universal and Transferable Adversarial Attacks on Aligned Language Models

Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J. Zico Kolter, and Matt Fredrikson. 2023. Universal and Transferable Adversarial Attacks on Aligned Language Models. arXiv:2307.15043 [cs.CL] https://arxiv.org/abs/2307.15043

work page internal anchor Pith review arXiv 2023