pith. sign in

arxiv: 2606.11202 · v1 · pith:A74UWD7Gnew · submitted 2026-04-22 · 💻 cs.CL

One Jailbreak, Many Tongues: Learning Language-Insensitive Intention Representations for Multilingual Jailbreak Detection

Pith reviewed 2026-07-05 04:34 UTC · model glm-5.2

classification 💻 cs.CL
keywords multilingual jailbreak detectioncontrastive learninglanguage-insensitive representationsback-translation data augmentationLLM safetycross-lingual generalizationimbalance-aware classificationguardrail
0
0 comments X

The pith

Contrastive clustering detects multilingual jailbreaks at 98.5% F1

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Large language models have weaker safety guardrails in non-English languages, and existing jailbreak detectors trained on English data fail when attacks arrive in low-resource languages like Bengali, Tamil, or Swahili. This paper proposes MLJailDe, a detector that treats multilingual jailbreak detection as a representation-learning problem: instead of learning language-specific attack patterns, it forces jailbreak prompts from all languages to cluster together in a shared embedding space while benign prompts form a separate cluster. The framework has two moving parts. First, a back-translation data augmentation pipeline (MBT-DA) creates multilingual training data by translating English prompts into ten low-resource languages, then filtering for semantic fidelity and functional effectiveness — translated jailbreak prompts must still actually jailbreak, and translated benign prompts must still function as intended. Second, a supervised contrastive loss pulls same-class samples closer and pushes different-class samples apart across all languages, while an imbalance-weighted classification objective counteracts the fact that benign translations outnumber jailbreak translations. The combined objective produces what the authors call language-insensitive jailbreak-intent representations: embeddings where the jailbreak-versus-benign boundary does not depend on which language the prompt is written in. The method achieves 98.5% F1 across 11 languages and 97.1% average F1 on languages withheld from training, using a DeBERTa backbone that processes 38 items per second.

Core claim

The paper's central claim is that the reason multilingual jailbreak detection fails is not primarily a translation or data-quantity problem but a representation-dispersion problem: jailbreak prompts expressing the same malicious intent in different languages scatter into language-specific clusters in embedding space, preventing a single decision boundary from separating them from benign prompts. By imposing relative-distance constraints via supervised contrastive learning — where every jailbreak prompt in a batch is pulled toward every other jailbreak prompt regardless of language, and pushed away from every benign prompt — the model reorganizes the embedding space so that the jailbreak/benj

What carries the argument

The central mechanism is a supervised contrastive loss (L_dist) operating on projected, L2-normalized embeddings from a DeBERTa encoder. For each sample in a batch, the loss increases cosine similarity to all same-class samples and decreases it to all different-class samples, with a temperature coefficient τ=0.1. This is jointly optimized with an imbalance-weighted binary cross-entropy loss (L_wce) whose class weights are normalized inverse priors, and a balancing coefficient λ=0.55. The training data is produced by MBT-DA: each English prompt is forward-translated into three variants per target language, back-translated to English, and filtered by an accuracy score (semantic consistency), a

If this is right

  • If relative-distance constraints genuinely produce language-insensitive intent representations, the same architecture could be applied to other cross-lingual safety tasks — detecting hate speech, prompt injection, or social engineering across language barriers — without requiring native-language training data for each task.
  • The MBT-DA pipeline's functional-effectiveness filter (checking that translated jailbreak prompts still elicit harmful responses) creates a reusable methodology for building multilingual adversarial test sets, since it validates that translations preserve attack utility rather than just surface meaning.
  • The finding that batch size strongly affects contrastive performance (batch=1 yields zero learning, batch=64 yields best results) suggests that deployment of similar contrastive defenses in production will face memory-throughput tradeoffs that may limit real-time use.
  • The 97.1% F1 on completely unseen languages implies the learned representation generalizes beyond the training language set, which if robust would mean defenders can protect languages for which no jailbreak training data exists at all.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The test set consists entirely of machine-translated English prompts manually checked for fidelity. Native-language jailbreak attacks — which may use culturally specific framing, idiomatic circumlocution, or language-specific encoding tricks — could exploit representation gaps that translated test data does not reveal. The 98.5% F1 may overstate real-world performance against adversaries who craft
  • The contrastive loss treats all jailbreak prompts as one class and all benign prompts as another, regardless of attack strategy. If different attack types (role-play, encoding, prompt injection) occupy different regions of the embedding space, a single contrastive pull may blur strategically distinct attack signatures that a finer-grained multi-class approach would preserve.
  • The framework's reliance on a fixed set of 60 test prompts per language (30 benign, 30 jailbreak) means the evaluation has limited statistical power per language — a single misclassified prompt shifts F1 by roughly 3 percentage points. The cross-lingual generalization claims would benefit from larger, natively constructed test sets.
  • If the contrastive clustering effect is as strong as the t-SNE visualizations suggest, one could test whether the learned representations transfer to entirely different safety domains (e.g., detecting multilingual misinformation) with minimal fine-tuning, which would confirm that the method learns general language-insensitive intent structure rather than jailbreak-specific features.

Load-bearing premise

Every non-English test sample is a Google-Translate rendering of an English prompt, manually checked for correctness. No test prompt is authored natively in the target language. If real adversaries write jailbreak attacks directly in Bengali or Swahili — using local idioms, cultural references, or syntactic structures that differ from translated English — the reported detection rates may not hold against those attacks.

What would settle it

Construct a test set of jailbreak prompts authored natively in 3–5 low-resource languages by speakers who are also familiar with jailbreak techniques, then evaluate whether MLJailDe's F1 drops below 90% — which would indicate the learned representations are sensitive to native-language attack structure rather than truly language-insensitive.

Figures

Figures reproduced from arXiv: 2606.11202 by Hao Ren, Hongwei Li, Kaiyu Xu, Rui Tang, Shuyu Jiang, Tianwei Zhang, Xingshu Chen, Yi Zhang.

Figure 1
Figure 1. Figure 1: Comparison between current and ideal multilingual [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The overall framework of MLJailDe. The left part is the multilingual prompt augmenter that constructs valid multilingual [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The process of the MBT-DA algorithm. D denotes the original prompt set. j represents the j-th target language. f 1 J,j , f 2 J,j , f 3 J,j represent three forward translation versions of the jailbreak prompts, and f 1 B,j , f 2 B,j , f 3 B,j represent three forward translation versions of the benign prompts. b 1 J,j , b2 J,j , b3 J,j represent three back translation versions of the jailbreak prompts, and b… view at source ↗
Figure 4
Figure 4. Figure 4: Language distribution of benign and jailbreak samples. [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: F1 scores of each method across different languages. [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The distribution of jailbreak prompts and benign prompts in the vector space. w/o represents fine-tuning without data [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Influence of different hyperparameters on model performance, (a) shows the effect of the parameter [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Results of different positive and negative sample [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
read the original abstract

Large language models (LLMs) are increasingly deployed in applications for global multilingual users, yet safety training remains concentrated in dominant languages and has not progressed in parallel with multilingual capability, creating exploitable gaps for jailbreak attacks. Current jailbreak defenses are largely developed and evaluated in dominant languages, and their effectiveness is limited by the scarcity of aligned multilingual supervision and representations dispersion caused by language variation. To address this issue, we propose MLJailDe, a multilingual jailbreak detection framework designed to improve both multilingual robustness and cross-lingual generalization. MLJailDe first introduces a multilingual back-translation data augmentation algorithm to construct a semantically consistent and functionally effective dataset spanning 11 languages, consisting of 2,232 benign and 1,239 jailbreak samples. On this basis, MLJailDe employs relative-distance constraints to reduce cross-lingual representation dispersion and encourage jailbreak prompts with similar intent to form consistent clusters across languages, while an imbalance-aware classification objective is further used to alleviate class imbalance and learn more reliable multilingual decision boundaries. Experimental results show that MLJailDe outperforms state-of-the-art baselines across multiple languages, achieving an F1 score of 98.5\%, and obtains an average F1 score of 97.1\% on unseen languages, demonstrating strong effectiveness and cross-lingual generalization.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 10 minor

Summary. This paper proposes MLJailDe, a multilingual jailbreak detection framework that combines a back-translation data augmentation pipeline (MBT-DA) with a supervised contrastive representation objective and an imbalance-aware classification loss. The system is trained on 600 English prompts from JailbreaksOverTime, augmented into 10 low-resource languages, and evaluated on a 660-sample multilingual test set. The authors report 98.5% F1 on the main test set and 97.1% average F1 on held-out unseen languages, outperforming 14 baselines including GPT-5-p, Claude-4.5-p, and PromptGuard. The paper also includes ablation studies, parameter sensitivity analyses, backbone generality experiments, and statistical reliability checks across five runs.

Significance. The problem of multilingual jailbreak detection is well-motivated and timely: safety alignment is concentrated in high-resource languages, creating exploitable gaps. The paper ships a concrete, reproducible pipeline with clearly defined components, falsifiable per-language predictions (Tables VII–VIII), and a statistical reliability table (Tables XI–XII) that is uncommon in this area. The ablation in Table X, which isolates MBT-DA, L_wce, and L_dist, is a useful contribution by itself. The architecture-generality experiment (Table IX, mDeBERTa and Flan-T5) strengthens the claim that the framework is not tied to a single backbone. However, the central claim of 'language-insensitive intent representations' is evaluated almost entirely on translation-derived data, which limits the evidential strength of the near-perfect F1 scores.

major comments (3)
  1. §V-A (Datasets) and §IV-A (MBT-DA): Both the training augmentation and the test set are derived from English originals via machine translation. The test set is 60 English prompts translated into 10 languages using Google Translate (660 total samples). This means every non-English test sample is a translation of an English prompt, not a natively authored attack in that language. If native-language jailbreak prompts differ structurally or pragmatically from translated English ones, the reported 98.5% F1 may reflect translationese recognition rather than genuine cross-lingual intent understanding. This is load-bearing for the central claim of 'language-insensitive jailbreak-intent representations.' The authors should either (a) acknowledge this as a scope limitation and temper the claim accordingly, or (b) provide at least a small evaluation on natively authored non-English jailbreaks (e.g,
  2. §V-A (Datasets): The test set contains only 30 jailbreak and 30 benign samples per language. With 30 jailbreak samples per language, a single misclassification shifts F1 by approximately 3 percentage points. The per-language F1 scores in Table VII (e.g., Burmese at 0.877) are thus based on very few errors. The paper should report confidence intervals or bootstrap variance for the per-language results, not just for the aggregate (Table XII). Without per-language uncertainty estimates, it is difficult to assess whether the differences between languages (e.g., Burmese 0.877 vs. Urdu 1.000) are meaningful or noise. This is particularly important for the unseen-language generalization claim in §V-E.
  3. §V-H (Table X): The 'plain multilingual' row (naive translation without quality filtering) achieves 96.7% F1, only 1.8 points below MBT-DA's 98.5%. This suggests that the quality filtering in MBT-DA contributes marginally—the main performance gain comes from having any translated data. The paper should discuss this more explicitly: if the gap between naive translation and MBT-DA is this small, the practical value of the multi-stage filtering pipeline (forward/back translation, accuracy scoring, alignment checking, safety checking) needs better justification, perhaps in terms of precision (95.0% vs. 99.7%) or robustness on harder cases. The current framing overstates the contribution of MBT-DA relative to simple translation.
minor comments (10)
  1. Table I: Several venue/year entries appear to be placeholders or errors (e.g., 'NDSS 2026,' 'ICLR 2026,' 'TPAMI 2026,' 'NMI 2023' for SelfReminder which was published in Nature Machine Intelligence). Please verify all venue citations.
  2. §V-C, Table V: The text refers to 'Glaude-4.5-p' in the discussion paragraph; this should be 'Claude-4.5-p'.
  3. Figure 4: The pie chart labels are rendered as unicode escape sequences (e.g., /uni00000045/uni00000051) rather than readable language codes. This makes the figure unreadable.
  4. Figure 5: Similarly, the heatmap labels appear corrupted with unicode escape sequences. Please fix so that language codes and F1 values are legible.
  5. Figure 8: The bar chart labels are also rendered as unicode escape sequences, making the figure unreadable.
  6. §IV-B, Eq. (8): The loss is referred to as L_dist in the equation but as L_contrast in the text of §V-H ('This showed that L_contrast substantially improved...'). Please use consistent notation.
  7. §V-I, Figure 7c: The text states the model reaches peak F1 at epoch 11, but the training is set to 20 epochs. It would be clearer to state whether early stopping was applied or whether the epoch-20 checkpoint was used for the final reported results.
  8. §V-E, Tables VII–VIII: The unseen-language experiments use the same 30-samples-per-language test set. This should be noted as a limitation, as the small sample size limits the statistical power of the generalization claim.
  9. The paper would benefit from explicitly listing the translationese concern and the small test set size as limitations in a dedicated subsection, rather than leaving them implicit.
  10. §II-A: The categorization of multilingual jailbreak attacks into 'machine-language-based' and 'natural-language-based' is useful but could cite additional work on code-switching or mixed-language attack strategies.

Simulated Author's Rebuttal

3 responses · 1 unresolved

We thank the referee for a careful and constructive review. The three major comments are well-taken and we address each below. In brief: (1) we agree that the translation-derived test set is a scope limitation and will temper our central claim and add a discussion of this limitation; (2) we agree that per-language confidence intervals are needed and will add them; (3) we agree that the MBT-DA contribution should be better justified beyond the F1 gap and will revise the framing to emphasize precision and robustness gains. We are unable to fully resolve the translationese concern with new native-language data in the revision timeframe, and we list this as a standing objection.

read point-by-point responses
  1. Referee: Both the training augmentation and the test set are derived from English originals via machine translation. Every non-English test sample is a translation of an English prompt, not a natively authored attack. The 98.5% F1 may reflect translationese recognition rather than genuine cross-lingual intent understanding. The authors should either acknowledge this as a scope limitation and temper the claim, or provide evaluation on natively authored non-English jailbreaks.

    Authors: We agree with the referee that this is a genuine and important limitation of the current evaluation. The test set is constructed by translating English prompts into 10 target languages, and it is correct that such translated samples may exhibit translationese properties that differ from natively authored attacks. We cannot rule out the possibility that some portion of the high F1 reflects recognition of translation artifacts rather than purely cross-lingual intent understanding. We will make the following changes in the revised manuscript: (1) We will explicitly acknowledge in Section V-A that the test set consists of translated prompts and discuss the translationese concern as a scope limitation. (2) We will temper the central claim of 'language-insensitive intent representations' to clarify that our evidence supports cross-lingual transfer under translation-derived data, and that evaluation on natively authored non-English jailbreaks remains future work. (3) We will add a discussion in the limitations or future work section noting that native-language jailbreak collections (e.g., from the MultiJail dataset, which includes natively authored prompts in some languages) could be used to further validate the framework. We note that the MBT-DA pipeline itself uses LLM-based translation rather than Google Translate, and the training data includes functional effectiveness validation (i.e., verifying that translated jailbreak prompts still elicit harmful responses), which provides some signal beyond pure translation fidelity. However, we acknowledge this does not fully resolve the concern for the test set. We are unable to conduct a full native-language evaluation within the revision timeframe due to the difficulty of sourcing natively authored jailbreak prompts in lowresource revision: partial

  2. Referee: The test set contains only 30 jailbreak and 30 benign samples per language. A single misclassification shifts F1 by approximately 3 percentage points. The paper should report confidence intervals or bootstrap variance for the per-language results, not just for the aggregate. Without per-language uncertainty estimates, it is difficult to assess whether differences between languages (e.g., Burmese 0.877 vs. Urdu 1.000) are meaningful or noise.

    Authors: The referee is correct that with 30 jailbreak samples per language, per-language F1 scores are sensitive to individual misclassifications, and the current manuscript does not provide per-language uncertainty estimates. We will address this in the revision by adding bootstrap confidence intervals (using 1000 bootstrap resamples) for the per-language F1 scores in Tables VII and VIII. This will allow readers to assess whether the observed differences between languages are statistically meaningful. We agree that this is particularly important for the unseen-language generalization claims in Section V-E, where Burmese (F1=0.877) appears to underperform other languages. With bootstrap CIs, we expect to show that the Burmese result has a wider interval and that some of the apparent cross-language differences may not be statistically significant. We will also add a note in the discussion of Table VII acknowledging the small per-language sample size and its implications for interpreting point estimates. revision: yes

  3. Referee: The 'plain multilingual' row (naive translation without quality filtering) achieves 96.7% F1, only 1.8 points below MBT-DA's 98.5%. This suggests that the quality filtering in MBT-DA contributes marginally. The paper should discuss this more explicitly: if the gap between naive translation and MBT-DA is this small, the practical value of the multi-stage filtering pipeline needs better justification, perhaps in terms of precision (95.0% vs. 99.7%) or robustness on harder cases.

    Authors: We agree with the referee that the 1.8-point F1 gap between naive translation and MBT-DA does not by itself fully justify the multi-stage filtering pipeline, and that the current framing overstates the contribution of MBT-DA relative to simple translation. However, we would note that the more meaningful difference is in precision: naive translation yields 95.0% precision while MBT-DA achieves 99.7%, a 4.7-point gap. In a deployment context, false positives on benign prompts carry significant operational cost (e.g., blocking legitimate user queries), so the precision improvement is practically important. We will revise the manuscript to make this argument explicit: (1) We will reframe the MBT-DA contribution discussion in Section V-H to emphasize that the primary benefit is precision improvement (95.0% to 99.7%) rather than F1 improvement alone. (2) We will add a discussion noting that naive translation introduces noisy samples that cause benign prompt misclassification, and that the quality filtering pipeline specifically addresses this. (3) We will acknowledge that the F1 gap is modest and temper the claims about MBT-DA's contribution accordingly. We will not claim that MBT-DA is essential for achieving reasonable multilingual detection, but rather that it provides meaningful precision and reliability improvements that matter for practical deployment. revision: yes

standing simulated objections not resolved
  • We are unable to fully resolve the translationese concern (Major Comment 1) by conducting a new evaluation on natively authored non-English jailbreak prompts within the revision timeframe. Sourcing natively authored jailbreak prompts in low-resource languages such as Burmese, Javanese, and Swahili is difficult, and existing multilingual jailbreak datasets (e.g., MultiJail) also rely heavily on translation-derived data. We will acknowledge this as a scope limitation and temper our claims, but we cannot provide the native-language evaluation the referee suggests as option (b).

Circularity Check

0 steps flagged

No circularity found: the derivation chain is self-contained, with no self-definitional reductions, fitted-input-as-prediction, or load-bearing self-citations.

full rationale

The paper proposes MLJailDe, a multilingual jailbreak detection framework with two main components: (1) MBT-DA data augmentation and (2) a detector combining supervised contrastive loss (L_dist, Eq. 8) and weighted BCE (L_wce, Eq. 10) under a joint objective (L_total, Eq. 12). Walking the derivation chain: The MBT-DA pipeline (§IV-A) uses LLM-based forward/back translation and quality filtering to construct augmented training data — this is a data construction step, not a prediction. The contrastive loss (Eq. 8) is standard supervised contrastive learning with cosine similarity (Eq. 7); it is not defined in terms of the evaluation metrics. The weighted BCE (Eqs. 10-11) uses normalized inverse priors computed from class counts — a standard reweighting, not a fitted parameter renamed as a prediction. The joint loss (Eq. 12) is a convex combination with hyperparameter λ, tuned via sensitivity analysis (Fig. 7a). Evaluation metrics (P, R, F1 in Eqs. 13-15) are computed against ground-truth labels on a held-out test set (§V-A), not against the augmentation pipeline's own scores. The ablation study (Table X) independently varies each component. The unseen-language experiments (Tables VII-VIII) hold out entire languages from training. No step in the derivation reduces to its inputs by construction. The concern about translationese artifacts (both training and test data being translations of English originals) is a validity/generalization concern, not a circularity concern — the evaluation metrics are not defined in terms of the training pipeline's outputs. No self-citations are load-bearing for the central claims; the method is self-contained. The paper has minor self-citations to standard tools (DeBERTa, t-SNE) but these are external, independently verifiable resources. Score: 0 — no significant circularity detected.

Axiom & Free-Parameter Ledger

8 free parameters · 4 axioms · 0 invented entities

The paper does not invent new entities (particles, forces, dimensions, etc.). It combines existing techniques and models. The free parameters are standard hyperparameters for contrastive learning and data filtering. The domain assumptions about DeBERTa's cross-lingual capability and translation equivalence are the most load-bearing.

free parameters (8)
  • lambda (loss weight) = 0.55
    Balancing coefficient between contrastive loss and classification loss (Eq. 12). Selected via grid search over 0 to 1 with step 0.05 (Figure 7a).
  • tau (temperature) = 0.1
    Temperature in supervised contrastive loss (Eq. 8). Not tuned in the paper but set to a standard value.
  • proj_dim = 128
    Projection dimension for the contrastive space (Eq. 4-5). Set by the authors.
  • tau_acc (accuracy threshold) = 4
    Threshold for translation accuracy score in MBT-DA (Section IV-A, Step 2). Scores are on a 1-5 scale; threshold set to 4.
  • tau_align (alignment threshold) = 4
    Threshold for alignment score for benign prompts (Section IV-A, Step 3).
  • tau_safe (safety threshold) = 4
    Threshold for safety score for jailbreak prompts (Section IV-A, Step 3).
  • batch_size = 64
    Batch size for training. Figure 7b shows performance is highly sensitive to this parameter, with F1=0 at batch_size=1 and F1=98.5% at batch_size=64.
  • epochs = 20
    Number of training epochs. Figure 7c shows peak at epoch 11 with fluctuations after.
axioms (4)
  • domain assumption DeBERTa-v3-base can produce meaningful cross-lingual representations for 11 languages including low-resource ones like Bengali, Tamil, and Swahili.
    Section IV-B.1: The encoder is DeBERTa-v3-base, which is primarily English-focused. The paper does not use a multilingual model (mDeBERTa is only tested in Section V-F as an alternative). The assumption that DeBERTa can encode low-resource language semantics is load-bearing.
  • domain assumption Back-translated prompts that pass accuracy/alignment/safety scoring are semantically and functionally equivalent to natively-authored prompts in the target language.
    Section IV-A: The entire MBT-DA pipeline assumes that LLM-translated and filtered prompts are valid training and test data. If translated prompts differ systematically from native ones, the evaluation is compromised.
  • domain assumption Jailbreak intent is a language-insensitive property that can be captured in a shared representation space.
    Section I and Figure 1: The paper's core premise is that jailbreak prompts should cluster across languages. This is a reasonable but unproven assumption — jailbreak strategies may be language-specific.
  • standard math The supervised contrastive loss formulation (Eq. 8) with in-batch positive/negative pairs is appropriate for learning cross-lingual intent representations.
    Eq. 8 is standard SupCon (Khosla et al. 2020). The mathematical formulation is correct.

pith-pipeline@v1.1.0-glm · 35701 in / 2898 out tokens · 240421 ms · 2026-07-05T04:34:06.308346+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

68 extracted references · 68 canonical work pages · 11 internal anchors

  1. [1]

    Large language models in education: A focus on the complementary relationship between human teachers and chatgpt,

    J. Jeon and S. Lee, “Large language models in education: A focus on the complementary relationship between human teachers and chatgpt,” Education and Information Technologies, vol. 28, no. 12, pp. 15 873– 15 892, 2023

  2. [2]

    Large language models in finance: A survey,

    Y . Li, S. Wang, H. Ding, and H. Chen, “Large language models in finance: A survey,” inProceedings of the fourth ACM international conference on AI in finance, 2023, pp. 374–382. 15

  3. [3]

    Large language models in medicine,

    A. J. Thirunavukarasu, D. S. J. Ting, K. Elangovan, L. Gutierrez, T. F. Tan, and D. S. W. Ting, “Large language models in medicine,”Nature medicine, vol. 29, no. 8, pp. 1930–1940, 2023

  4. [4]

    A survey of multilingual large language models,

    L. Qin, Q. Chen, Y . Zhou, Z. Chen, Y . Li, L. Liao, M. Li, W. Che, and P. S. Yu, “A survey of multilingual large language models,”Patterns, vol. 6, no. 1, 2025

  5. [5]

    Jailbreaksovertime: Detecting jailbreak attacks under distribution shift,

    J. Piet, X. Huang, D. Jacob, A. Chow, M. Alrashed, G. Zhao, Z. Hu, C. Sitawarin, B. Alomair, and D. Wagner, “Jailbreaksovertime: Detecting jailbreak attacks under distribution shift,” inProceedings of the 18th ACM Workshop on Artificial Intelligence and Security, 2025, pp. 230– 241

  6. [6]

    Jailbreakbench: An open robustness benchmark for jailbreaking large language models,

    P. Chao, E. Debenedetti, A. Robey, M. Andriushchenko, F. Croce, V . Sehwag, E. Dobriban, N. Flammarion, G. J. Pappas, F. Tram`eret al., “Jailbreakbench: An open robustness benchmark for jailbreaking large language models,” inThe Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2024

  7. [7]

    Multilingual jailbreak challenges in large language models,

    Y . Deng, W. Zhang, S. J. Pan, and L. Bing, “Multilingual jailbreak challenges in large language models,” inThe Twelfth International Conference on Learning Representations, 2024

  8. [8]

    Low-resource languages jailbreak gpt-4,

    Z. X. Yong, C. Menghini, and S. Bach, “Low-resource languages jailbreak gpt-4,” inSocially Responsible Language Modelling Research, 2023

  9. [9]

    The language barrier: Dissecting safety challenges of llms in multilingual contexts,

    L. Shen, W. Tan, S. Chen, Y . Chen, J. Zhang, H. Xu, B. Zheng, P. Koehn, and D. Khashabi, “The language barrier: Dissecting safety challenges of llms in multilingual contexts,” inFindings of the Association for Computational Linguistics: ACL 2024, 2024, pp. 2668–2680

  10. [10]

    GPT-4 Technical Report

    J. Achiam, S. Adler, S. Agarwal, L. Ahmad, I. Akkaya, F. L. Aleman, D. Almeida, J. Altenschmidt, S. Altman, S. Anadkatet al., “Gpt-4 technical report,”arXiv preprint arXiv:2303.08774, 2023

  11. [11]

    mt5: A massively multilingual pre-trained text- to-text transformer,

    L. Xue, N. Constant, A. Roberts, M. Kale, R. Al-Rfou, A. Siddhant, A. Barua, and C. Raffel, “mt5: A massively multilingual pre-trained text- to-text transformer,” inProceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, 2021, pp. 483–498

  12. [12]

    A cross-language investigation into jailbreak attacks in large language models,

    J. Li, Y . Liu, C. Liu, L. Shi, X. Ren, Y . Zheng, Y . Liu, and Y . Xue, “A cross-language investigation into jailbreak attacks in large language models,”arXiv preprint arXiv:2401.16765, 2024

  13. [13]

    Artprompt: Ascii art-based jailbreak attacks against aligned llms,

    F. Jiang, Z. Xu, L. Niu, Z. Xiang, B. Ramasubramanian, B. Li, and R. Poovendran, “Artprompt: Ascii art-based jailbreak attacks against aligned llms,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 15 157–15 173

  14. [14]

    English as defense proxy: Mitigating multilingual jailbreak via eliciting english safety knowledge,

    Z. Zhang, Y . Guo, J. Lin, S. Quan, H. Zhang, and D. Zhao, “English as defense proxy: Mitigating multilingual jailbreak via eliciting english safety knowledge,” inFindings of the Association for Computational Linguistics: EMNLP 2025, 2025, pp. 1185–1196

  15. [15]

    Gradsafe: Detecting jailbreak prompts for llms via safety-critical gradient analysis,

    Y . Xie, M. Fang, R. Pi, and N. Gong, “Gradsafe: Detecting jailbreak prompts for llms via safety-critical gradient analysis,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 507–518

  16. [16]

    Jbshield: Defending large language models from jailbreak attacks through activated concept analysis and manipulation,

    S. Zhang, Y . Zhai, K. Guo, H. Hu, S. Guo, Z. Fang, L. Zhao, C. Shen, C. Wang, and Q. Wang, “Jbshield: Defending large language models from jailbreak attacks through activated concept analysis and manipulation,” inProceedings of the 34th USENIX Security Symposium (USENIX Security 2025), 2025

  17. [17]

    On prompt-driven safeguarding for large language mod- els,

    C. Zheng, F. Yin, H. Zhou, F. Meng, J. Zhou, K.-W. Chang, M. Huang, and N. Peng, “On prompt-driven safeguarding for large language mod- els,” inInternational Conference on Machine Learning. PMLR, 2024, pp. 61 593–61 613

  18. [18]

    Rain: Your language models can align themselves without finetuning,

    Y . Li, F. Wei, J. Zhao, C. Zhang, and H. Zhang, “Rain: Your language models can align themselves without finetuning,” inThe Twelfth Inter- national Conference on Learning Representations, 2024

  19. [19]

    Safede- coding: Defending against jailbreak attacks via safety-aware decoding,

    Z. Xu, F. Jiang, L. Niu, J. Jia, B. Y . Lin, and R. Poovendran, “Safede- coding: Defending against jailbreak attacks via safety-aware decoding,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 5587– 5605

  20. [20]

    Gradient cuff: Detecting jailbreak at- tacks on large language models by exploring refusal loss landscapes,

    X. Xu, P.-Y . Chen, and T.-y. Ho, “Gradient cuff: Detecting jailbreak at- tacks on large language models by exploring refusal loss landscapes,” in The Thirty-eighth Annual Conference on Neural Information Processing Systems, 2024

  21. [21]

    Jailbreak antidote: Runtime safety-utility balance via sparse representation adjustment in large language models,

    G. Shen, D. Zhao, Y . Dong, X. He, and Y . Zeng, “Jailbreak antidote: Runtime safety-utility balance via sparse representation adjustment in large language models,” inThe Thirteenth International Conference on Learning Representations, 2025

  22. [22]

    Bleeding pathways: Vanishing discriminability in llm hidden states fuels jailbreak attacks,

    Y . Zhang, T. Liu, Z. Zhao, G. Meng, and K. Chen, “Bleeding pathways: Vanishing discriminability in llm hidden states fuels jailbreak attacks,” inNDSS, 2026

  23. [23]

    Graphshield: Graph- theoretic modeling of network-level dynamics for robust jailbreak detection,

    S. Dong, S. Yi, K. Bae, J. Kim, and S. Kim, “Graphshield: Graph- theoretic modeling of network-level dynamics for robust jailbreak detection,” inThe Fourteenth International Conference on Learning Representations, 2026

  24. [24]

    Defending chatgpt against jailbreak attack via self-reminders,

    Y . Xie, J. Yi, J. Shao, J. Curl, L. Lyu, Q. Chen, X. Xie, and F. Wu, “Defending chatgpt against jailbreak attack via self-reminders,”Nature Machine Intelligence, vol. 5, no. 12, pp. 1486–1496, 2023

  25. [25]

    Robust prompt optimization for defend- ing language models against jailbreaking attacks,

    A. Zhou, B. Li, and H. Wang, “Robust prompt optimization for defend- ing language models against jailbreaking attacks,”Advances in Neural Information Processing Systems, vol. 37, pp. 40 184–40 211, 2024

  26. [26]

    Defending against alignment- breaking attacks via robustly aligned llm,

    B. Cao, Y . Cao, L. Lin, and J. Chen, “Defending against alignment- breaking attacks via robustly aligned llm,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Vol- ume 1: Long Papers), 2024, pp. 10 542–10 560

  27. [27]

    Selfdefend: Llms can defend themselves against jailbreaking in a practical manner,

    X. Wang, D. Wu, Z. Ji, Z. Li, P. Ma, S. Wang, Y . Li, Y . Liu, N. Liu, and J. Rahmel, “Selfdefend: Llms can defend themselves against jailbreaking in a practical manner,” inProceedings of the 34th USENIX Conference on Security Symposium, 2025, pp. 2441–2460

  28. [28]

    Jailbreak and guard aligned language models with only few in-context demonstrations,

    Z. Wei, Y . Wang, A. Li, Y . Mo, and Y . Wang, “Jailbreak and guard aligned language models with only few in-context demonstrations,” IEEE Transactions on Pattern Analysis and Machine Intelligence, 2026

  29. [29]

    Align once, benefit multilin- gually: Enforcing multilingual consistency for llm safety alignment,

    Y . Bu, X. Liu, Z. Ren, Y . Yang, and J. Dai, “Align once, benefit multilin- gually: Enforcing multilingual consistency for llm safety alignment,” in The Fourteenth International Conference on Learning Representations, 2026

  30. [30]

    Llama 2: Open Foundation and Fine-Tuned Chat Models

    H. Touvron, L. Martin, K. Stone, P. Albert, A. Almahairi, Y . Babaei, N. Bashlykov, S. Batra, P. Bhargava, S. Bhosaleet al., “Llama 2: Open foundation and fine-tuned chat models,”arXiv preprint arXiv:2307.09288, 2023

  31. [31]

    The Llama 3 Herd of Models

    A. Grattafiori, A. Dubey, A. Jauhri, A. Pandey, A. Kadian, A. Al-Dahle, A. Letman, A. Mathur, A. Schelten, A. Vaughanet al., “The llama 3 herd of models,”arXiv preprint arXiv:2407.21783, 2024

  32. [32]

    Qwen2 Technical Report

    A. Yang, B. Yang, B. Hui, B. Zheng, B. Yu, C. Zhou, C. Li, C. Li, D. Liu, F. Huang, G. Dong, H. Wei, H. Lin, J. Tang, J. Wang, J. Yang, J. Tu, J. Zhang, J. Ma, J. Xu, J. Zhou, J. Bai, J. He, J. Lin, K. Dang, K. Lu, K. Chen, K. Yang, M. Li, M. Xue, N. Ni, P. Zhang, P. Wang, R. Peng, R. Men, R. Gao, R. Lin, S. Wang, S. Bai, S. Tan, T. Zhu, T. Li, T. Liu, W....

  33. [33]

    Qwen3 Technical Report

    A. Yang, A. Li, B. Yang, B. Zhang, B. Hui, B. Zheng, B. Yu, C. Gao, C. Huang, C. Lvet al., “Qwen3 technical report,”arXiv preprint arXiv:2505.09388, 2025

  34. [34]

    Gpt- 4 is too smart to be safe: Stealthy chat with llms via cipher,

    Y . Yuan, W. Jiao, W. Wang, J.-t. Huang, P. He, S. Shi, and Z. Tu, “Gpt- 4 is too smart to be safe: Stealthy chat with llms via cipher,” inThe Twelfth International Conference on Learning Representations, 2024

  35. [35]

    Sandwich attack: Multi-language mixture adaptive attack on llms,

    B. Upadhayay and V . Behzadan, “Sandwich attack: Multi-language mixture adaptive attack on llms,” inProceedings of the 4th Workshop on Trustworthy Natural Language Processing (TrustNLP 2024), 2024, pp. 208–226

  36. [36]

    Multilingual collaborative defense for large language models,

    H. Li, J. Xu, G. Cui, C. Guan, F. Mo, and K. Huang, “Multilingual collaborative defense for large language models,” inFindings of the Association for Computational Linguistics: EMNLP 2025, C. Christodoulopoulos, T. Chakraborty, C. Rose, and V . Peng, Eds. Suzhou, China: Association for Computational Linguistics, Nov. 2025, pp. 3735–3755. [Online]. Availab...

  37. [37]

    Mrguard: A multilingual reasoning guardrail for universal llm safety,

    Y . Yang, S. Dan, S. Li, D. Roth, and I. Lee, “Mrguard: A multilingual reasoning guardrail for universal llm safety,” inProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, 2025, pp. 27 365–27 384

  38. [38]

    Sealguard: Safe- guarding the multilingual conversations in southeast asian languages for ai-powered software,

    W. Shan, M. Fu, R. Yang, and C. Tantithamthavorn, “Sealguard: Safe- guarding the multilingual conversations in southeast asian languages for ai-powered software,” in2025 2nd IEEE/ACM International Conference on AI-powered Software (AIware). IEEE, 2025, pp. 197–206

  39. [39]

    Sentra-Guard: A Real-Time Multilingual Defense Against Adversarial LLM Prompts

    M. M. Hasan, Z. Rahman, R. Mostafiz, and M. A. Hossain, “Sentra- guard: A multilingual human-ai framework for real-time defense against adversarial llm jailbreaks,”arXiv preprint arXiv:2510.22628, 2025

  40. [40]

    Sok: Eval- uating jailbreak guardrails for large language models,

    X. Wang, Z. Ji, W. Wang, Z. Li, D. Wu, and S. Wang, “Sok: Eval- uating jailbreak guardrails for large language models,” in2026 IEEE Symposium on Security and Privacy (SP), 2026. 16

  41. [41]

    Fight back against jailbreaking via prompt adversarial tuning,

    Y . Mo, Y . Wang, Z. Wei, and Y . Wang, “Fight back against jailbreaking via prompt adversarial tuning,”Advances in Neural Information Pro- cessing Systems, vol. 37, pp. 64 242–64 272, 2024

  42. [42]

    Defending large language models against jailbreaking attacks through goal priori- tization,

    Z. Zhang, J. Yang, P. Ke, F. Mi, H. Wang, and M. Huang, “Defending large language models against jailbreaking attacks through goal priori- tization,” inProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2024, pp. 8865– 8887

  43. [43]

    Refuse whenever you feel unsafe: Improving safety in llms via decoupled refusal training,

    Y . Yuan, W. Jiao, W. Wang, J.-t. Huang, J. Xu, T. Liang, P. He, and Z. Tu, “Refuse whenever you feel unsafe: Improving safety in llms via decoupled refusal training,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2025, pp. 3149–3167

  44. [44]

    Training language models to follow instructions with human feedback,

    L. Ouyang, J. Wu, X. Jiang, D. Almeida, C. Wainwright, P. Mishkin, C. Zhang, S. Agarwal, K. Slama, A. Rayet al., “Training language models to follow instructions with human feedback,”Advances in neural information processing systems, vol. 35, pp. 27 730–27 744, 2022

  45. [45]

    Training a Helpful and Harmless Assistant with Reinforcement Learning from Human Feedback

    Y . Bai, A. Jones, K. Ndousse, A. Askell, A. Chen, N. DasSarma, D. Drain, S. Fort, D. Ganguli, T. Henighanet al., “Training a helpful and harmless assistant with reinforcement learning from human feedback,” arXiv preprint arXiv:2204.05862, 2022

  46. [46]

    Efficient adversarial training in llms with continuous attacks,

    S. Xhonneux, A. Sordoni, S. G ¨unnemann, G. Gidel, and L. Schwinn, “Efficient adversarial training in llms with continuous attacks,”Advances in Neural Information Processing Systems, vol. 37, pp. 1502–1530, 2024

  47. [47]

    Adversarial d\’ej\a vu: Jailbreak dictionary learning for stronger generalization to unseen attacks,

    M. Dabas, T. Huynh, N. R. Billa, J. T. Wang, P. Gao, C. Peris, Y . Ma, R. Gupta, M. Jin, P. Mittalet al., “Adversarial d\’ej\a vu: Jailbreak dictionary learning for stronger generalization to unseen attacks,” inThe Fourteenth International Conference on Learning Representations, 2026

  48. [48]

    Aligner: Efficient alignment by learning to correct,

    J. Ji, B. Chen, H. Lou, D. Hong, B. Zhang, X. Pan, J. Dai, T. Qiu, and Y . Yang, “Aligner: Efficient alignment by learning to correct,”Advances in Neural Information Processing Systems, vol. 37, pp. 90 853–90 890, 2024

  49. [49]

    Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations

    H. Inan, K. Upasani, J. Chi, R. Rungta, K. Iyer, Y . Mao, M. Tontchev, Q. Hu, B. Fuller, D. Testuggineet al., “Llama guard: Llm-based input-output safeguard for human-ai conversations,”arXiv preprint arXiv:2312.06674, 2023

  50. [50]

    ShieldGemma: Generative AI Content Moderation Based on Gemma

    W. Zeng, Y . Liu, R. Mullins, L. Peran, J. Fernandez, H. Harkous, K. Narasimhan, D. Proud, P. Kumar, B. Radharapuet al., “Shieldgemma: Generative ai content moderation based on gemma,”arXiv preprint arXiv:2407.21772, 2024

  51. [51]

    Llama prompt guard 2,

    Meta, “Llama prompt guard 2,” https://www.llama.com/docs/ model-cards-and-prompt-formats/prompt-guard/, 2025

  52. [52]

    Moderation,

    OpenAI, “Moderation,” https://platform.openai.com/docs/guides/ moderation/, 2025

  53. [53]

    SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks

    A. Robey, E. Wong, H. Hassani, and G. J. Pappas, “Smoothllm: Defending large language models against jailbreaking attacks,”arXiv preprint arXiv:2310.03684, 2023

  54. [54]

    Llmguard: guarding against unsafe llm be- havior,

    S. Goyal, M. Hira, S. Mishra, S. Goyal, A. Goel, N. Dadu, K. DB, S. Mehta, and N. Madaan, “Llmguard: guarding against unsafe llm be- havior,” inProceedings of the AAAI conference on artificial intelligence, vol. 38, no. 21, 2024, pp. 23 790–23 792

  55. [55]

    Rig- orllm: Resilient guardrails for large language models against undesired content,

    Z. Yuan, Z. Xiong, Y . Zeng, N. Yu, R. Jia, D. Song, and B. Li, “Rig- orllm: Resilient guardrails for large language models against undesired content,” inInternational Conference on Machine Learning. PMLR, 2024, pp. 57 953–57 965

  56. [56]

    Moje: Mixture of jailbreak experts, naive tabular classi- fiers as guard for prompt attacks,

    G. Cornacchia, G. Zizzo, K. Fraser, M. Z. Hameed, A. Rawat, and M. Purcell, “Moje: Mixture of jailbreak experts, naive tabular classi- fiers as guard for prompt attacks,” inProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, vol. 7, no. 1, 2024, pp. 304–315

  57. [57]

    A holistic approach to undesired content detection in the real world,

    T. Markov, C. Zhang, S. Agarwal, F. E. Nekoul, T. Lee, S. Adler, A. Jiang, and L. Weng, “A holistic approach to undesired content detection in the real world,” inProceedings of the AAAI conference on artificial intelligence, vol. 37, no. 12, 2023, pp. 15 009–15 018

  58. [58]

    Certifying llm safety against adversarial prompting,

    A. Kumar, C. Agarwal, S. Srinivas, A. J. Li, S. Feizi, and H. Lakkaraju, “Certifying llm safety against adversarial prompting,” inFirst Confer- ence on Language Modeling, 2024

  59. [59]

    Detecting Language Model Attacks with Perplexity

    G. Alon and M. Kamfonas, “Detecting language model attacks with perplexity,”arXiv preprint arXiv:2308.14132, 2023

  60. [60]

    Hsf: Defending against jailbreak attacks with hidden state filtering,

    C. Qian, H. Zhang, L. Sha, and Z. Zheng, “Hsf: Defending against jailbreak attacks with hidden state filtering,” inCompanion Proceedings of the ACM on Web Conference 2025, 2025, pp. 2078–2087

  61. [61]

    Constitutional classi- fiers++: Production-grade defenses against universal jailbreaks,

    H. Cunningham, J. Wei, Z. Wang, A. Persic, A. Peng, J. Abderrachid, R. Agarwal, B. Chen, A. Cohen, A. Dauet al., “Constitutional classi- fiers++: Production-grade defenses against universal jailbreaks,” inThe Fourteenth International Conference on Learning Representations, 2026

  62. [62]

    Llm self defense: By self examination, llms know they are being tricked,

    M. Phute, A. Helbling, M. Hull, S. Peng, S. Szyller, C. Cornelius, and D. H. Chau, “Llm self defense: By self examination, llms know they are being tricked,”arXiv preprint arXiv:2308.07308, 2023

  63. [63]

    Wildguard: Open one-stop moderation tools for safety risks, jailbreaks, and refusals of llms,

    S. Han, K. Rao, A. Ettinger, L. Jiang, B. Y . Lin, N. Lambert, Y . Choi, and N. Dziri, “Wildguard: Open one-stop moderation tools for safety risks, jailbreaks, and refusals of llms,”Advances in neural information processing systems, vol. 37, pp. 8093–8131, 2024

  64. [64]

    X-guard: Multilingual guard agent for content moderation,

    B. Upadhayay and V . Behzadan, “X-guard: Multilingual guard agent for content moderation,” inProceedings of the The First Workshop on LLM Security (LLMSEC), 2025, pp. 54–86

  65. [65]

    Introducing gpt-5,

    OpenAI, “Introducing gpt-5,” https://openai.com/index/ introducing-gpt-5/, 2025

  66. [66]

    Introducing claude sonnet 4.5,

    Anthropic, “Introducing claude sonnet 4.5,” https://www.anthropic.com/ news/claude-sonnet-4-5, 2025

  67. [67]

    Deberta: Decoding-enhanced bert with disentangled attention,

    P. He, X. Liu, J. Gao, and W. Chen, “Deberta: Decoding-enhanced bert with disentangled attention,” inInternational Conference on Learning Representations, 2021

  68. [68]

    Visualizing data using t-sne,

    L. v. d. Maaten and G. Hinton, “Visualizing data using t-sne,”Journal of machine learning research, vol. 9, no. Nov, pp. 2579–2605, 2008. Shuyu Jiangis currently an assistant researcher at the School of Cyber Science and Engineering, Sichuan University. She received the Ph.D degree in 2025 from Sichuan University. Her research interests focus on the appli...