AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs

Lijia Lv; Weigang Zhang; Xuehai Tang; Jie Wen; Feng Liu; Jizhong Han; Songlin Hu

doi:10.1109/ICASSP49660.2025.10890715

AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs

Lijia Lv
, Weigang Zhang
, Xuehai Tang^*
, Jie Wen^*
, Feng Liu
, Jizhong Han
, Songlin Hu

^*Corresponding author for this work

CAS - Institute of Information Engineering
University of Chinese Academy of Sciences

Research output: Contribution to journal › Conference article › peer-review

1 Scopus citations

Abstract

Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.

Original language	English
Journal	Proceedings - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing
DOIs	https://doi.org/10.1109/ICASSP49660.2025.10890715
State	Published - 2025
Externally published	Yes
Event	2025 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2025 - Hyderabad, India Duration: 6 Apr 2025 → 11 Apr 2025

Keywords

Jailbreak Attacks
Large Language Models
Model Security
Pre-Fill Attacks

Access to Document

10.1109/ICASSP49660.2025.10890715

Cite this

@article{e59f94b6b3e84738b756773ef6f11488,

title = "AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs",

abstract = "Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47\% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.",

keywords = "Jailbreak Attacks, Large Language Models, Model Security, Pre-Fill Attacks",

author = "Lijia Lv and Weigang Zhang and Xuehai Tang and Jie Wen and Feng Liu and Jizhong Han and Songlin Hu",

note = "Publisher Copyright: {\textcopyright} 2025 Institute of Electrical and Electronics Engineers Inc.. All rights reserved.; 2025 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2025 ; Conference date: 06-04-2025 Through 11-04-2025",

year = "2025",

doi = "10.1109/ICASSP49660.2025.10890715",

language = "英语",

journal = "Proceedings - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing",

issn = "0736-7791",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - AdaPPA

T2 - 2025 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2025

AU - Lv, Lijia

AU - Zhang, Weigang

AU - Tang, Xuehai

AU - Wen, Jie

AU - Liu, Feng

AU - Han, Jizhong

AU - Hu, Songlin

PY - 2025

Y1 - 2025

N2 - Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.

AB - Jailbreak vulnerabilities in Large Language Models (LLMs) refer to methods that extract malicious content from the model by carefully crafting prompts or suffixes, which has garnered significant attention from the research community. However, traditional attack methods, which primarily focus on the semantic level, are easily detected by the model. These methods overlook the difference in the model's alignment protection capabilities at different output stages. To address this issue, we propose an adaptive position pre-fill jailbreak attack approach for executing jailbreak attacks on LLMs. Our method leverages the model's instruction-following capabilities to first output pre-filled safe content, then exploits its narrative-shifting abilities to generate harmful content. Extensive black-box experiments demonstrate our method can improve the attack success rate by 47% on the widely recognized secure model (Llama2) compared to existing approaches. Our code can be found at: https://github.com/Yummy416/AdaPPA.

KW - Jailbreak Attacks

KW - Large Language Models

KW - Model Security

KW - Pre-Fill Attacks

UR - https://www.scopus.com/pages/publications/105009820180

U2 - 10.1109/ICASSP49660.2025.10890715

DO - 10.1109/ICASSP49660.2025.10890715

M3 - 会议文章

AN - SCOPUS:105009820180

SN - 0736-7791

JO - Proceedings - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing

JF - Proceedings - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing

Y2 - 6 April 2025 through 11 April 2025

ER -

AdaPPA: Adaptive Position Pre-Fill Jailbreak Attack Approach Targeting LLMs

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this