One Jailbreak, Many Tongues: Learning Language-Insensitive Intention Representations for Multilingual Jailbreak Detection
Pith reviewed 2026-07-05 04:34 UTC · model glm-5.2
The pith
Contrastive clustering detects multilingual jailbreaks at 98.5% F1
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper's central claim is that the reason multilingual jailbreak detection fails is not primarily a translation or data-quantity problem but a representation-dispersion problem: jailbreak prompts expressing the same malicious intent in different languages scatter into language-specific clusters in embedding space, preventing a single decision boundary from separating them from benign prompts. By imposing relative-distance constraints via supervised contrastive learning — where every jailbreak prompt in a batch is pulled toward every other jailbreak prompt regardless of language, and pushed away from every benign prompt — the model reorganizes the embedding space so that the jailbreak/benj
What carries the argument
The central mechanism is a supervised contrastive loss (L_dist) operating on projected, L2-normalized embeddings from a DeBERTa encoder. For each sample in a batch, the loss increases cosine similarity to all same-class samples and decreases it to all different-class samples, with a temperature coefficient τ=0.1. This is jointly optimized with an imbalance-weighted binary cross-entropy loss (L_wce) whose class weights are normalized inverse priors, and a balancing coefficient λ=0.55. The training data is produced by MBT-DA: each English prompt is forward-translated into three variants per target language, back-translated to English, and filtered by an accuracy score (semantic consistency), a
If this is right
- If relative-distance constraints genuinely produce language-insensitive intent representations, the same architecture could be applied to other cross-lingual safety tasks — detecting hate speech, prompt injection, or social engineering across language barriers — without requiring native-language training data for each task.
- The MBT-DA pipeline's functional-effectiveness filter (checking that translated jailbreak prompts still elicit harmful responses) creates a reusable methodology for building multilingual adversarial test sets, since it validates that translations preserve attack utility rather than just surface meaning.
- The finding that batch size strongly affects contrastive performance (batch=1 yields zero learning, batch=64 yields best results) suggests that deployment of similar contrastive defenses in production will face memory-throughput tradeoffs that may limit real-time use.
- The 97.1% F1 on completely unseen languages implies the learned representation generalizes beyond the training language set, which if robust would mean defenders can protect languages for which no jailbreak training data exists at all.
Where Pith is reading between the lines
- The test set consists entirely of machine-translated English prompts manually checked for fidelity. Native-language jailbreak attacks — which may use culturally specific framing, idiomatic circumlocution, or language-specific encoding tricks — could exploit representation gaps that translated test data does not reveal. The 98.5% F1 may overstate real-world performance against adversaries who craft
- The contrastive loss treats all jailbreak prompts as one class and all benign prompts as another, regardless of attack strategy. If different attack types (role-play, encoding, prompt injection) occupy different regions of the embedding space, a single contrastive pull may blur strategically distinct attack signatures that a finer-grained multi-class approach would preserve.
- The framework's reliance on a fixed set of 60 test prompts per language (30 benign, 30 jailbreak) means the evaluation has limited statistical power per language — a single misclassified prompt shifts F1 by roughly 3 percentage points. The cross-lingual generalization claims would benefit from larger, natively constructed test sets.
- If the contrastive clustering effect is as strong as the t-SNE visualizations suggest, one could test whether the learned representations transfer to entirely different safety domains (e.g., detecting multilingual misinformation) with minimal fine-tuning, which would confirm that the method learns general language-insensitive intent structure rather than jailbreak-specific features.
Load-bearing premise
Every non-English test sample is a Google-Translate rendering of an English prompt, manually checked for correctness. No test prompt is authored natively in the target language. If real adversaries write jailbreak attacks directly in Bengali or Swahili — using local idioms, cultural references, or syntactic structures that differ from translated English — the reported detection rates may not hold against those attacks.
What would settle it
Construct a test set of jailbreak prompts authored natively in 3–5 low-resource languages by speakers who are also familiar with jailbreak techniques, then evaluate whether MLJailDe's F1 drops below 90% — which would indicate the learned representations are sensitive to native-language attack structure rather than truly language-insensitive.
Figures
read the original abstract
Large language models (LLMs) are increasingly deployed in applications for global multilingual users, yet safety training remains concentrated in dominant languages and has not progressed in parallel with multilingual capability, creating exploitable gaps for jailbreak attacks. Current jailbreak defenses are largely developed and evaluated in dominant languages, and their effectiveness is limited by the scarcity of aligned multilingual supervision and representations dispersion caused by language variation. To address this issue, we propose MLJailDe, a multilingual jailbreak detection framework designed to improve both multilingual robustness and cross-lingual generalization. MLJailDe first introduces a multilingual back-translation data augmentation algorithm to construct a semantically consistent and functionally effective dataset spanning 11 languages, consisting of 2,232 benign and 1,239 jailbreak samples. On this basis, MLJailDe employs relative-distance constraints to reduce cross-lingual representation dispersion and encourage jailbreak prompts with similar intent to form consistent clusters across languages, while an imbalance-aware classification objective is further used to alleviate class imbalance and learn more reliable multilingual decision boundaries. Experimental results show that MLJailDe outperforms state-of-the-art baselines across multiple languages, achieving an F1 score of 98.5\%, and obtains an average F1 score of 97.1\% on unseen languages, demonstrating strong effectiveness and cross-lingual generalization.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. This paper proposes MLJailDe, a multilingual jailbreak detection framework that combines a back-translation data augmentation pipeline (MBT-DA) with a supervised contrastive representation objective and an imbalance-aware classification loss. The system is trained on 600 English prompts from JailbreaksOverTime, augmented into 10 low-resource languages, and evaluated on a 660-sample multilingual test set. The authors report 98.5% F1 on the main test set and 97.1% average F1 on held-out unseen languages, outperforming 14 baselines including GPT-5-p, Claude-4.5-p, and PromptGuard. The paper also includes ablation studies, parameter sensitivity analyses, backbone generality experiments, and statistical reliability checks across five runs.
Significance. The problem of multilingual jailbreak detection is well-motivated and timely: safety alignment is concentrated in high-resource languages, creating exploitable gaps. The paper ships a concrete, reproducible pipeline with clearly defined components, falsifiable per-language predictions (Tables VII–VIII), and a statistical reliability table (Tables XI–XII) that is uncommon in this area. The ablation in Table X, which isolates MBT-DA, L_wce, and L_dist, is a useful contribution by itself. The architecture-generality experiment (Table IX, mDeBERTa and Flan-T5) strengthens the claim that the framework is not tied to a single backbone. However, the central claim of 'language-insensitive intent representations' is evaluated almost entirely on translation-derived data, which limits the evidential strength of the near-perfect F1 scores.
major comments (3)
- §V-A (Datasets) and §IV-A (MBT-DA): Both the training augmentation and the test set are derived from English originals via machine translation. The test set is 60 English prompts translated into 10 languages using Google Translate (660 total samples). This means every non-English test sample is a translation of an English prompt, not a natively authored attack in that language. If native-language jailbreak prompts differ structurally or pragmatically from translated English ones, the reported 98.5% F1 may reflect translationese recognition rather than genuine cross-lingual intent understanding. This is load-bearing for the central claim of 'language-insensitive jailbreak-intent representations.' The authors should either (a) acknowledge this as a scope limitation and temper the claim accordingly, or (b) provide at least a small evaluation on natively authored non-English jailbreaks (e.g,
- §V-A (Datasets): The test set contains only 30 jailbreak and 30 benign samples per language. With 30 jailbreak samples per language, a single misclassification shifts F1 by approximately 3 percentage points. The per-language F1 scores in Table VII (e.g., Burmese at 0.877) are thus based on very few errors. The paper should report confidence intervals or bootstrap variance for the per-language results, not just for the aggregate (Table XII). Without per-language uncertainty estimates, it is difficult to assess whether the differences between languages (e.g., Burmese 0.877 vs. Urdu 1.000) are meaningful or noise. This is particularly important for the unseen-language generalization claim in §V-E.
- §V-H (Table X): The 'plain multilingual' row (naive translation without quality filtering) achieves 96.7% F1, only 1.8 points below MBT-DA's 98.5%. This suggests that the quality filtering in MBT-DA contributes marginally—the main performance gain comes from having any translated data. The paper should discuss this more explicitly: if the gap between naive translation and MBT-DA is this small, the practical value of the multi-stage filtering pipeline (forward/back translation, accuracy scoring, alignment checking, safety checking) needs better justification, perhaps in terms of precision (95.0% vs. 99.7%) or robustness on harder cases. The current framing overstates the contribution of MBT-DA relative to simple translation.
minor comments (10)
- Table I: Several venue/year entries appear to be placeholders or errors (e.g., 'NDSS 2026,' 'ICLR 2026,' 'TPAMI 2026,' 'NMI 2023' for SelfReminder which was published in Nature Machine Intelligence). Please verify all venue citations.
- §V-C, Table V: The text refers to 'Glaude-4.5-p' in the discussion paragraph; this should be 'Claude-4.5-p'.
- Figure 4: The pie chart labels are rendered as unicode escape sequences (e.g., /uni00000045/uni00000051) rather than readable language codes. This makes the figure unreadable.
- Figure 5: Similarly, the heatmap labels appear corrupted with unicode escape sequences. Please fix so that language codes and F1 values are legible.
- Figure 8: The bar chart labels are also rendered as unicode escape sequences, making the figure unreadable.
- §IV-B, Eq. (8): The loss is referred to as L_dist in the equation but as L_contrast in the text of §V-H ('This showed that L_contrast substantially improved...'). Please use consistent notation.
- §V-I, Figure 7c: The text states the model reaches peak F1 at epoch 11, but the training is set to 20 epochs. It would be clearer to state whether early stopping was applied or whether the epoch-20 checkpoint was used for the final reported results.
- §V-E, Tables VII–VIII: The unseen-language experiments use the same 30-samples-per-language test set. This should be noted as a limitation, as the small sample size limits the statistical power of the generalization claim.
- The paper would benefit from explicitly listing the translationese concern and the small test set size as limitations in a dedicated subsection, rather than leaving them implicit.
- §II-A: The categorization of multilingual jailbreak attacks into 'machine-language-based' and 'natural-language-based' is useful but could cite additional work on code-switching or mixed-language attack strategies.
Simulated Author's Rebuttal
We thank the referee for a careful and constructive review. The three major comments are well-taken and we address each below. In brief: (1) we agree that the translation-derived test set is a scope limitation and will temper our central claim and add a discussion of this limitation; (2) we agree that per-language confidence intervals are needed and will add them; (3) we agree that the MBT-DA contribution should be better justified beyond the F1 gap and will revise the framing to emphasize precision and robustness gains. We are unable to fully resolve the translationese concern with new native-language data in the revision timeframe, and we list this as a standing objection.
read point-by-point responses
-
Referee: Both the training augmentation and the test set are derived from English originals via machine translation. Every non-English test sample is a translation of an English prompt, not a natively authored attack. The 98.5% F1 may reflect translationese recognition rather than genuine cross-lingual intent understanding. The authors should either acknowledge this as a scope limitation and temper the claim, or provide evaluation on natively authored non-English jailbreaks.
Authors: We agree with the referee that this is a genuine and important limitation of the current evaluation. The test set is constructed by translating English prompts into 10 target languages, and it is correct that such translated samples may exhibit translationese properties that differ from natively authored attacks. We cannot rule out the possibility that some portion of the high F1 reflects recognition of translation artifacts rather than purely cross-lingual intent understanding. We will make the following changes in the revised manuscript: (1) We will explicitly acknowledge in Section V-A that the test set consists of translated prompts and discuss the translationese concern as a scope limitation. (2) We will temper the central claim of 'language-insensitive intent representations' to clarify that our evidence supports cross-lingual transfer under translation-derived data, and that evaluation on natively authored non-English jailbreaks remains future work. (3) We will add a discussion in the limitations or future work section noting that native-language jailbreak collections (e.g., from the MultiJail dataset, which includes natively authored prompts in some languages) could be used to further validate the framework. We note that the MBT-DA pipeline itself uses LLM-based translation rather than Google Translate, and the training data includes functional effectiveness validation (i.e., verifying that translated jailbreak prompts still elicit harmful responses), which provides some signal beyond pure translation fidelity. However, we acknowledge this does not fully resolve the concern for the test set. We are unable to conduct a full native-language evaluation within the revision timeframe due to the difficulty of sourcing natively authored jailbreak prompts in lowresource revision: partial
-
Referee: The test set contains only 30 jailbreak and 30 benign samples per language. A single misclassification shifts F1 by approximately 3 percentage points. The paper should report confidence intervals or bootstrap variance for the per-language results, not just for the aggregate. Without per-language uncertainty estimates, it is difficult to assess whether differences between languages (e.g., Burmese 0.877 vs. Urdu 1.000) are meaningful or noise.
Authors: The referee is correct that with 30 jailbreak samples per language, per-language F1 scores are sensitive to individual misclassifications, and the current manuscript does not provide per-language uncertainty estimates. We will address this in the revision by adding bootstrap confidence intervals (using 1000 bootstrap resamples) for the per-language F1 scores in Tables VII and VIII. This will allow readers to assess whether the observed differences between languages are statistically meaningful. We agree that this is particularly important for the unseen-language generalization claims in Section V-E, where Burmese (F1=0.877) appears to underperform other languages. With bootstrap CIs, we expect to show that the Burmese result has a wider interval and that some of the apparent cross-language differences may not be statistically significant. We will also add a note in the discussion of Table VII acknowledging the small per-language sample size and its implications for interpreting point estimates. revision: yes
-
Referee: The 'plain multilingual' row (naive translation without quality filtering) achieves 96.7% F1, only 1.8 points below MBT-DA's 98.5%. This suggests that the quality filtering in MBT-DA contributes marginally. The paper should discuss this more explicitly: if the gap between naive translation and MBT-DA is this small, the practical value of the multi-stage filtering pipeline needs better justification, perhaps in terms of precision (95.0% vs. 99.7%) or robustness on harder cases.
Authors: We agree with the referee that the 1.8-point F1 gap between naive translation and MBT-DA does not by itself fully justify the multi-stage filtering pipeline, and that the current framing overstates the contribution of MBT-DA relative to simple translation. However, we would note that the more meaningful difference is in precision: naive translation yields 95.0% precision while MBT-DA achieves 99.7%, a 4.7-point gap. In a deployment context, false positives on benign prompts carry significant operational cost (e.g., blocking legitimate user queries), so the precision improvement is practically important. We will revise the manuscript to make this argument explicit: (1) We will reframe the MBT-DA contribution discussion in Section V-H to emphasize that the primary benefit is precision improvement (95.0% to 99.7%) rather than F1 improvement alone. (2) We will add a discussion noting that naive translation introduces noisy samples that cause benign prompt misclassification, and that the quality filtering pipeline specifically addresses this. (3) We will acknowledge that the F1 gap is modest and temper the claims about MBT-DA's contribution accordingly. We will not claim that MBT-DA is essential for achieving reasonable multilingual detection, but rather that it provides meaningful precision and reliability improvements that matter for practical deployment. revision: yes
- We are unable to fully resolve the translationese concern (Major Comment 1) by conducting a new evaluation on natively authored non-English jailbreak prompts within the revision timeframe. Sourcing natively authored jailbreak prompts in low-resource languages such as Burmese, Javanese, and Swahili is difficult, and existing multilingual jailbreak datasets (e.g., MultiJail) also rely heavily on translation-derived data. We will acknowledge this as a scope limitation and temper our claims, but we cannot provide the native-language evaluation the referee suggests as option (b).
Circularity Check
No circularity found: the derivation chain is self-contained, with no self-definitional reductions, fitted-input-as-prediction, or load-bearing self-citations.
full rationale
The paper proposes MLJailDe, a multilingual jailbreak detection framework with two main components: (1) MBT-DA data augmentation and (2) a detector combining supervised contrastive loss (L_dist, Eq. 8) and weighted BCE (L_wce, Eq. 10) under a joint objective (L_total, Eq. 12). Walking the derivation chain: The MBT-DA pipeline (§IV-A) uses LLM-based forward/back translation and quality filtering to construct augmented training data — this is a data construction step, not a prediction. The contrastive loss (Eq. 8) is standard supervised contrastive learning with cosine similarity (Eq. 7); it is not defined in terms of the evaluation metrics. The weighted BCE (Eqs. 10-11) uses normalized inverse priors computed from class counts — a standard reweighting, not a fitted parameter renamed as a prediction. The joint loss (Eq. 12) is a convex combination with hyperparameter λ, tuned via sensitivity analysis (Fig. 7a). Evaluation metrics (P, R, F1 in Eqs. 13-15) are computed against ground-truth labels on a held-out test set (§V-A), not against the augmentation pipeline's own scores. The ablation study (Table X) independently varies each component. The unseen-language experiments (Tables VII-VIII) hold out entire languages from training. No step in the derivation reduces to its inputs by construction. The concern about translationese artifacts (both training and test data being translations of English originals) is a validity/generalization concern, not a circularity concern — the evaluation metrics are not defined in terms of the training pipeline's outputs. No self-citations are load-bearing for the central claims; the method is self-contained. The paper has minor self-citations to standard tools (DeBERTa, t-SNE) but these are external, independently verifiable resources. Score: 0 — no significant circularity detected.
Axiom & Free-Parameter Ledger
free parameters (8)
- lambda (loss weight) =
0.55
- tau (temperature) =
0.1
- proj_dim =
128
- tau_acc (accuracy threshold) =
4
- tau_align (alignment threshold) =
4
- tau_safe (safety threshold) =
4
- batch_size =
64
- epochs =
20
axioms (4)
- domain assumption DeBERTa-v3-base can produce meaningful cross-lingual representations for 11 languages including low-resource ones like Bengali, Tamil, and Swahili.
- domain assumption Back-translated prompts that pass accuracy/alignment/safety scoring are semantically and functionally equivalent to natively-authored prompts in the target language.
- domain assumption Jailbreak intent is a language-insensitive property that can be captured in a shared representation space.
- standard math The supervised contrastive loss formulation (Eq. 8) with in-batch positive/negative pairs is appropriate for learning cross-lingual intent representations.
Reference graph
Works this paper leans on
-
[1]
J. Jeon and S. Lee, “Large language models in education: A focus on the complementary relationship between human teachers and chatgpt,” Education and Information Technologies, vol. 28, no. 12, pp. 15 873– 15 892, 2023
work page 2023
-
[2]
Large language models in finance: A survey,
Y . Li, S. Wang, H. Ding, and H. Chen, “Large language models in finance: A survey,” inProceedings of the fourth ACM international conference on AI in finance, 2023, pp. 374–382. 15
work page 2023
-
[3]
Large language models in medicine,
A. J. Thirunavukarasu, D. S. J. Ting, K. Elangovan, L. Gutierrez, T. F. Tan, and D. S. W. Ting, “Large language models in medicine,”Nature medicine, vol. 29, no. 8, pp. 1930–1940, 2023
work page 1930
-
[4]
A survey of multilingual large language models,
L. Qin, Q. Chen, Y . Zhou, Z. Chen, Y . Li, L. Liao, M. Li, W. Che, and P. S. Yu, “A survey of multilingual large language models,”Patterns, vol. 6, no. 1, 2025
work page 2025
-
[5]
Jailbreaksovertime: Detecting jailbreak attacks under distribution shift,
J. Piet, X. Huang, D. Jacob, A. Chow, M. Alrashed, G. Zhao, Z. Hu, C. Sitawarin, B. Alomair, and D. Wagner, “Jailbreaksovertime: Detecting jailbreak attacks under distribution shift,” inProceedings of the 18th ACM Workshop on Artificial Intelligence and Security, 2025, pp. 230– 241
work page 2025
-
[6]
Jailbreakbench: An open robustness benchmark for jailbreaking large language models,
P. Chao, E. Debenedetti, A. Robey, M. Andriushchenko, F. Croce, V . Sehwag, E. Dobriban, N. Flammarion, G. J. Pappas, F. Tram`eret al., “Jailbreakbench: An open robustness benchmark for jailbreaking large language models,” inThe Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2024
work page 2024
-
[7]
Multilingual jailbreak challenges in large language models,
Y . Deng, W. Zhang, S. J. Pan, and L. Bing, “Multilingual jailbreak challenges in large language models,” inThe Twelfth International Conference on Learning Representations, 2024
work page 2024
-
[8]
Low-resource languages jailbreak gpt-4,
Z. X. Yong, C. Menghini, and S. Bach, “Low-resource languages jailbreak gpt-4,” inSocially Responsible Language Modelling Research, 2023
work page 2023
-
[9]
The language barrier: Dissecting safety challenges of llms in multilingual contexts,
L. Shen, W. Tan, S. Chen, Y . Chen, J. Zhang, H. Xu, B. Zheng, P. Koehn, and D. Khashabi, “The language barrier: Dissecting safety challenges of llms in multilingual contexts,” inFindings of the Association for Computational Linguistics: ACL 2024, 2024, pp. 2668–2680
work page 2024
-
[10]
J. Achiam, S. Adler, S. Agarwal, L. Ahmad, I. Akkaya, F. L. Aleman, D. Almeida, J. Altenschmidt, S. Altman, S. Anadkatet al., “Gpt-4 technical report,”arXiv preprint arXiv:2303.08774, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[11]
mt5: A massively multilingual pre-trained text- to-text transformer,
L. Xue, N. Constant, A. Roberts, M. Kale, R. Al-Rfou, A. Siddhant, A. Barua, and C. Raffel, “mt5: A massively multilingual pre-trained text- to-text transformer,” inProceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, 2021, pp. 483–498
work page 2021
-
[12]
A cross-language investigation into jailbreak attacks in large language models,
J. Li, Y . Liu, C. Liu, L. Shi, X. Ren, Y . Zheng, Y . Liu, and Y . Xue, “A cross-language investigation into jailbreak attacks in large language models,”arXiv preprint arXiv:2401.16765, 2024
-
[13]
Artprompt: Ascii art-based jailbreak attacks against aligned llms,
F. Jiang, Z. Xu, L. Niu, Z. Xiang, B. Ramasubramanian, B. Li, and R. Poovendran, “Artprompt: Ascii art-based jailbreak attacks against aligned llms,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 15 157–15 173
work page 2024
-
[14]
English as defense proxy: Mitigating multilingual jailbreak via eliciting english safety knowledge,
Z. Zhang, Y . Guo, J. Lin, S. Quan, H. Zhang, and D. Zhao, “English as defense proxy: Mitigating multilingual jailbreak via eliciting english safety knowledge,” inFindings of the Association for Computational Linguistics: EMNLP 2025, 2025, pp. 1185–1196
work page 2025
-
[15]
Gradsafe: Detecting jailbreak prompts for llms via safety-critical gradient analysis,
Y . Xie, M. Fang, R. Pi, and N. Gong, “Gradsafe: Detecting jailbreak prompts for llms via safety-critical gradient analysis,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 507–518
work page 2024
-
[16]
S. Zhang, Y . Zhai, K. Guo, H. Hu, S. Guo, Z. Fang, L. Zhao, C. Shen, C. Wang, and Q. Wang, “Jbshield: Defending large language models from jailbreak attacks through activated concept analysis and manipulation,” inProceedings of the 34th USENIX Security Symposium (USENIX Security 2025), 2025
work page 2025
-
[17]
On prompt-driven safeguarding for large language mod- els,
C. Zheng, F. Yin, H. Zhou, F. Meng, J. Zhou, K.-W. Chang, M. Huang, and N. Peng, “On prompt-driven safeguarding for large language mod- els,” inInternational Conference on Machine Learning. PMLR, 2024, pp. 61 593–61 613
work page 2024
-
[18]
Rain: Your language models can align themselves without finetuning,
Y . Li, F. Wei, J. Zhao, C. Zhang, and H. Zhang, “Rain: Your language models can align themselves without finetuning,” inThe Twelfth Inter- national Conference on Learning Representations, 2024
work page 2024
-
[19]
Safede- coding: Defending against jailbreak attacks via safety-aware decoding,
Z. Xu, F. Jiang, L. Niu, J. Jia, B. Y . Lin, and R. Poovendran, “Safede- coding: Defending against jailbreak attacks via safety-aware decoding,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 5587– 5605
work page 2024
-
[20]
X. Xu, P.-Y . Chen, and T.-y. Ho, “Gradient cuff: Detecting jailbreak at- tacks on large language models by exploring refusal loss landscapes,” in The Thirty-eighth Annual Conference on Neural Information Processing Systems, 2024
work page 2024
-
[21]
G. Shen, D. Zhao, Y . Dong, X. He, and Y . Zeng, “Jailbreak antidote: Runtime safety-utility balance via sparse representation adjustment in large language models,” inThe Thirteenth International Conference on Learning Representations, 2025
work page 2025
-
[22]
Bleeding pathways: Vanishing discriminability in llm hidden states fuels jailbreak attacks,
Y . Zhang, T. Liu, Z. Zhao, G. Meng, and K. Chen, “Bleeding pathways: Vanishing discriminability in llm hidden states fuels jailbreak attacks,” inNDSS, 2026
work page 2026
-
[23]
Graphshield: Graph- theoretic modeling of network-level dynamics for robust jailbreak detection,
S. Dong, S. Yi, K. Bae, J. Kim, and S. Kim, “Graphshield: Graph- theoretic modeling of network-level dynamics for robust jailbreak detection,” inThe Fourteenth International Conference on Learning Representations, 2026
work page 2026
-
[24]
Defending chatgpt against jailbreak attack via self-reminders,
Y . Xie, J. Yi, J. Shao, J. Curl, L. Lyu, Q. Chen, X. Xie, and F. Wu, “Defending chatgpt against jailbreak attack via self-reminders,”Nature Machine Intelligence, vol. 5, no. 12, pp. 1486–1496, 2023
work page 2023
-
[25]
Robust prompt optimization for defend- ing language models against jailbreaking attacks,
A. Zhou, B. Li, and H. Wang, “Robust prompt optimization for defend- ing language models against jailbreaking attacks,”Advances in Neural Information Processing Systems, vol. 37, pp. 40 184–40 211, 2024
work page 2024
-
[26]
Defending against alignment- breaking attacks via robustly aligned llm,
B. Cao, Y . Cao, L. Lin, and J. Chen, “Defending against alignment- breaking attacks via robustly aligned llm,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Vol- ume 1: Long Papers), 2024, pp. 10 542–10 560
work page 2024
-
[27]
Selfdefend: Llms can defend themselves against jailbreaking in a practical manner,
X. Wang, D. Wu, Z. Ji, Z. Li, P. Ma, S. Wang, Y . Li, Y . Liu, N. Liu, and J. Rahmel, “Selfdefend: Llms can defend themselves against jailbreaking in a practical manner,” inProceedings of the 34th USENIX Conference on Security Symposium, 2025, pp. 2441–2460
work page 2025
-
[28]
Jailbreak and guard aligned language models with only few in-context demonstrations,
Z. Wei, Y . Wang, A. Li, Y . Mo, and Y . Wang, “Jailbreak and guard aligned language models with only few in-context demonstrations,” IEEE Transactions on Pattern Analysis and Machine Intelligence, 2026
work page 2026
-
[29]
Align once, benefit multilin- gually: Enforcing multilingual consistency for llm safety alignment,
Y . Bu, X. Liu, Z. Ren, Y . Yang, and J. Dai, “Align once, benefit multilin- gually: Enforcing multilingual consistency for llm safety alignment,” in The Fourteenth International Conference on Learning Representations, 2026
work page 2026
-
[30]
Llama 2: Open Foundation and Fine-Tuned Chat Models
H. Touvron, L. Martin, K. Stone, P. Albert, A. Almahairi, Y . Babaei, N. Bashlykov, S. Batra, P. Bhargava, S. Bhosaleet al., “Llama 2: Open foundation and fine-tuned chat models,”arXiv preprint arXiv:2307.09288, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[31]
A. Grattafiori, A. Dubey, A. Jauhri, A. Pandey, A. Kadian, A. Al-Dahle, A. Letman, A. Mathur, A. Schelten, A. Vaughanet al., “The llama 3 herd of models,”arXiv preprint arXiv:2407.21783, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[32]
A. Yang, B. Yang, B. Hui, B. Zheng, B. Yu, C. Zhou, C. Li, C. Li, D. Liu, F. Huang, G. Dong, H. Wei, H. Lin, J. Tang, J. Wang, J. Yang, J. Tu, J. Zhang, J. Ma, J. Xu, J. Zhou, J. Bai, J. He, J. Lin, K. Dang, K. Lu, K. Chen, K. Yang, M. Li, M. Xue, N. Ni, P. Zhang, P. Wang, R. Peng, R. Men, R. Gao, R. Lin, S. Wang, S. Bai, S. Tan, T. Zhu, T. Li, T. Liu, W....
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[33]
A. Yang, A. Li, B. Yang, B. Zhang, B. Hui, B. Zheng, B. Yu, C. Gao, C. Huang, C. Lvet al., “Qwen3 technical report,”arXiv preprint arXiv:2505.09388, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[34]
Gpt- 4 is too smart to be safe: Stealthy chat with llms via cipher,
Y . Yuan, W. Jiao, W. Wang, J.-t. Huang, P. He, S. Shi, and Z. Tu, “Gpt- 4 is too smart to be safe: Stealthy chat with llms via cipher,” inThe Twelfth International Conference on Learning Representations, 2024
work page 2024
-
[35]
Sandwich attack: Multi-language mixture adaptive attack on llms,
B. Upadhayay and V . Behzadan, “Sandwich attack: Multi-language mixture adaptive attack on llms,” inProceedings of the 4th Workshop on Trustworthy Natural Language Processing (TrustNLP 2024), 2024, pp. 208–226
work page 2024
-
[36]
Multilingual collaborative defense for large language models,
H. Li, J. Xu, G. Cui, C. Guan, F. Mo, and K. Huang, “Multilingual collaborative defense for large language models,” inFindings of the Association for Computational Linguistics: EMNLP 2025, C. Christodoulopoulos, T. Chakraborty, C. Rose, and V . Peng, Eds. Suzhou, China: Association for Computational Linguistics, Nov. 2025, pp. 3735–3755. [Online]. Availab...
work page 2025
-
[37]
Mrguard: A multilingual reasoning guardrail for universal llm safety,
Y . Yang, S. Dan, S. Li, D. Roth, and I. Lee, “Mrguard: A multilingual reasoning guardrail for universal llm safety,” inProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, 2025, pp. 27 365–27 384
work page 2025
-
[38]
W. Shan, M. Fu, R. Yang, and C. Tantithamthavorn, “Sealguard: Safe- guarding the multilingual conversations in southeast asian languages for ai-powered software,” in2025 2nd IEEE/ACM International Conference on AI-powered Software (AIware). IEEE, 2025, pp. 197–206
work page 2025
-
[39]
Sentra-Guard: A Real-Time Multilingual Defense Against Adversarial LLM Prompts
M. M. Hasan, Z. Rahman, R. Mostafiz, and M. A. Hossain, “Sentra- guard: A multilingual human-ai framework for real-time defense against adversarial llm jailbreaks,”arXiv preprint arXiv:2510.22628, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[40]
Sok: Eval- uating jailbreak guardrails for large language models,
X. Wang, Z. Ji, W. Wang, Z. Li, D. Wu, and S. Wang, “Sok: Eval- uating jailbreak guardrails for large language models,” in2026 IEEE Symposium on Security and Privacy (SP), 2026. 16
work page 2026
-
[41]
Fight back against jailbreaking via prompt adversarial tuning,
Y . Mo, Y . Wang, Z. Wei, and Y . Wang, “Fight back against jailbreaking via prompt adversarial tuning,”Advances in Neural Information Pro- cessing Systems, vol. 37, pp. 64 242–64 272, 2024
work page 2024
-
[42]
Defending large language models against jailbreaking attacks through goal priori- tization,
Z. Zhang, J. Yang, P. Ke, F. Mi, H. Wang, and M. Huang, “Defending large language models against jailbreaking attacks through goal priori- tization,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 8865– 8887
work page 2024
-
[43]
Refuse whenever you feel unsafe: Improving safety in llms via decoupled refusal training,
Y . Yuan, W. Jiao, W. Wang, J.-t. Huang, J. Xu, T. Liang, P. He, and Z. Tu, “Refuse whenever you feel unsafe: Improving safety in llms via decoupled refusal training,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2025, pp. 3149–3167
work page 2025
-
[44]
Training language models to follow instructions with human feedback,
L. Ouyang, J. Wu, X. Jiang, D. Almeida, C. Wainwright, P. Mishkin, C. Zhang, S. Agarwal, K. Slama, A. Rayet al., “Training language models to follow instructions with human feedback,”Advances in neural information processing systems, vol. 35, pp. 27 730–27 744, 2022
work page 2022
-
[45]
Training a Helpful and Harmless Assistant with Reinforcement Learning from Human Feedback
Y . Bai, A. Jones, K. Ndousse, A. Askell, A. Chen, N. DasSarma, D. Drain, S. Fort, D. Ganguli, T. Henighanet al., “Training a helpful and harmless assistant with reinforcement learning from human feedback,” arXiv preprint arXiv:2204.05862, 2022
work page internal anchor Pith review Pith/arXiv arXiv 2022
-
[46]
Efficient adversarial training in llms with continuous attacks,
S. Xhonneux, A. Sordoni, S. G ¨unnemann, G. Gidel, and L. Schwinn, “Efficient adversarial training in llms with continuous attacks,”Advances in Neural Information Processing Systems, vol. 37, pp. 1502–1530, 2024
work page 2024
-
[47]
Adversarial d\’ej\a vu: Jailbreak dictionary learning for stronger generalization to unseen attacks,
M. Dabas, T. Huynh, N. R. Billa, J. T. Wang, P. Gao, C. Peris, Y . Ma, R. Gupta, M. Jin, P. Mittalet al., “Adversarial d\’ej\a vu: Jailbreak dictionary learning for stronger generalization to unseen attacks,” inThe Fourteenth International Conference on Learning Representations, 2026
work page 2026
-
[48]
Aligner: Efficient alignment by learning to correct,
J. Ji, B. Chen, H. Lou, D. Hong, B. Zhang, X. Pan, J. Dai, T. Qiu, and Y . Yang, “Aligner: Efficient alignment by learning to correct,”Advances in Neural Information Processing Systems, vol. 37, pp. 90 853–90 890, 2024
work page 2024
-
[49]
Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations
H. Inan, K. Upasani, J. Chi, R. Rungta, K. Iyer, Y . Mao, M. Tontchev, Q. Hu, B. Fuller, D. Testuggineet al., “Llama guard: Llm-based input-output safeguard for human-ai conversations,”arXiv preprint arXiv:2312.06674, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[50]
ShieldGemma: Generative AI Content Moderation Based on Gemma
W. Zeng, Y . Liu, R. Mullins, L. Peran, J. Fernandez, H. Harkous, K. Narasimhan, D. Proud, P. Kumar, B. Radharapuet al., “Shieldgemma: Generative ai content moderation based on gemma,”arXiv preprint arXiv:2407.21772, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[51]
Meta, “Llama prompt guard 2,” https://www.llama.com/docs/ model-cards-and-prompt-formats/prompt-guard/, 2025
work page 2025
-
[52]
OpenAI, “Moderation,” https://platform.openai.com/docs/guides/ moderation/, 2025
work page 2025
-
[53]
SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks
A. Robey, E. Wong, H. Hassani, and G. J. Pappas, “Smoothllm: Defending large language models against jailbreaking attacks,”arXiv preprint arXiv:2310.03684, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[54]
Llmguard: guarding against unsafe llm be- havior,
S. Goyal, M. Hira, S. Mishra, S. Goyal, A. Goel, N. Dadu, K. DB, S. Mehta, and N. Madaan, “Llmguard: guarding against unsafe llm be- havior,” inProceedings of the AAAI conference on artificial intelligence, vol. 38, no. 21, 2024, pp. 23 790–23 792
work page 2024
-
[55]
Rig- orllm: Resilient guardrails for large language models against undesired content,
Z. Yuan, Z. Xiong, Y . Zeng, N. Yu, R. Jia, D. Song, and B. Li, “Rig- orllm: Resilient guardrails for large language models against undesired content,” inInternational Conference on Machine Learning. PMLR, 2024, pp. 57 953–57 965
work page 2024
-
[56]
Moje: Mixture of jailbreak experts, naive tabular classi- fiers as guard for prompt attacks,
G. Cornacchia, G. Zizzo, K. Fraser, M. Z. Hameed, A. Rawat, and M. Purcell, “Moje: Mixture of jailbreak experts, naive tabular classi- fiers as guard for prompt attacks,” inProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, vol. 7, no. 1, 2024, pp. 304–315
work page 2024
-
[57]
A holistic approach to undesired content detection in the real world,
T. Markov, C. Zhang, S. Agarwal, F. E. Nekoul, T. Lee, S. Adler, A. Jiang, and L. Weng, “A holistic approach to undesired content detection in the real world,” inProceedings of the AAAI conference on artificial intelligence, vol. 37, no. 12, 2023, pp. 15 009–15 018
work page 2023
-
[58]
Certifying llm safety against adversarial prompting,
A. Kumar, C. Agarwal, S. Srinivas, A. J. Li, S. Feizi, and H. Lakkaraju, “Certifying llm safety against adversarial prompting,” inFirst Confer- ence on Language Modeling, 2024
work page 2024
-
[59]
Detecting Language Model Attacks with Perplexity
G. Alon and M. Kamfonas, “Detecting language model attacks with perplexity,”arXiv preprint arXiv:2308.14132, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[60]
Hsf: Defending against jailbreak attacks with hidden state filtering,
C. Qian, H. Zhang, L. Sha, and Z. Zheng, “Hsf: Defending against jailbreak attacks with hidden state filtering,” inCompanion Proceedings of the ACM on Web Conference 2025, 2025, pp. 2078–2087
work page 2025
-
[61]
Constitutional classi- fiers++: Production-grade defenses against universal jailbreaks,
H. Cunningham, J. Wei, Z. Wang, A. Persic, A. Peng, J. Abderrachid, R. Agarwal, B. Chen, A. Cohen, A. Dauet al., “Constitutional classi- fiers++: Production-grade defenses against universal jailbreaks,” inThe Fourteenth International Conference on Learning Representations, 2026
work page 2026
-
[62]
Llm self defense: By self examination, llms know they are being tricked,
M. Phute, A. Helbling, M. Hull, S. Peng, S. Szyller, C. Cornelius, and D. H. Chau, “Llm self defense: By self examination, llms know they are being tricked,”arXiv preprint arXiv:2308.07308, 2023
-
[63]
Wildguard: Open one-stop moderation tools for safety risks, jailbreaks, and refusals of llms,
S. Han, K. Rao, A. Ettinger, L. Jiang, B. Y . Lin, N. Lambert, Y . Choi, and N. Dziri, “Wildguard: Open one-stop moderation tools for safety risks, jailbreaks, and refusals of llms,”Advances in neural information processing systems, vol. 37, pp. 8093–8131, 2024
work page 2024
-
[64]
X-guard: Multilingual guard agent for content moderation,
B. Upadhayay and V . Behzadan, “X-guard: Multilingual guard agent for content moderation,” inProceedings of the The First Workshop on LLM Security (LLMSEC), 2025, pp. 54–86
work page 2025
-
[65]
OpenAI, “Introducing gpt-5,” https://openai.com/index/ introducing-gpt-5/, 2025
work page 2025
-
[66]
Introducing claude sonnet 4.5,
Anthropic, “Introducing claude sonnet 4.5,” https://www.anthropic.com/ news/claude-sonnet-4-5, 2025
work page 2025
-
[67]
Deberta: Decoding-enhanced bert with disentangled attention,
P. He, X. Liu, J. Gao, and W. Chen, “Deberta: Decoding-enhanced bert with disentangled attention,” inInternational Conference on Learning Representations, 2021
work page 2021
-
[68]
L. v. d. Maaten and G. Hinton, “Visualizing data using t-sne,”Journal of machine learning research, vol. 9, no. Nov, pp. 2579–2605, 2008. Shuyu Jiangis currently an assistant researcher at the School of Cyber Science and Engineering, Sichuan University. She received the Ph.D degree in 2025 from Sichuan University. Her research interests focus on the appli...
work page 2008
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.