Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring

Honglin Mu; Han He; Yuxin Zhou; Yunlong Feng; Yang Xu; Libo Qin; Xiaoming Shi; Zeming Liu; Xudong Han; Qi Shi; Qingfu Zhu; Wanxiang Che

doi:10.18653/v1/2025.naacl-long.88

Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring

Honglin Mu
, Han He
, Yuxin Zhou
, Yunlong Feng
, Yang Xu
, Libo Qin
, Xiaoming Shi
, Zeming Liu
, Xudong Han
, Qi Shi
, Qingfu Zhu
, Wanxiang Che^*

^*Corresponding author for this work

Faculty of Computing

Harbin Institute of Technology
Central South University
East China Normal University
Beihang University
LibrAI
Mohamed Bin Zayed University of Artificial Intelligence
Tsinghua University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Large language model (LLM) safety is a critical issue, with numerous studies employing red team testing to enhance model security. Among these, jailbreak methods explore potential vulnerabilities by crafting malicious prompts that induce model outputs contrary to safety alignments. Existing black-box jailbreak methods often rely on model feedback, repeatedly submitting queries with detectable malicious instructions during the attack search process. Although these approaches are effective, the attacks may be intercepted by content moderators during the search process. We propose an improved transfer attack method that guides malicious prompt construction by locally training a mirror model of the target black-box model through benign data distillation. This method offers enhanced stealth, as it does not involve submitting identifiable malicious instructions to the target model during the search phase. Our approach achieved a maximum attack success rate of 92%, or a balanced value of 80% with an average of 1.5 detectable jailbreak queries per sample against GPT-3.5 Turbo on a subset of AdvBench. These results underscore the need for more robust defense mechanisms.

Original language	English
Title of host publication	Long Papers
Editors	Luis Chiruzzo, Alan Ritter, Lu Wang
Publisher	Association for Computational Linguistics (ACL)
Pages	1784-1799
Number of pages	16
ISBN (Electronic)	9798891761896
DOIs	https://doi.org/10.18653/v1/2025.naacl-long.88
State	Published - 2025
Event	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2025 - Hybrid, Albuquerque, United States Duration: 29 Apr 2025 → 4 May 2025

Publication series

Name	Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025
Volume	1

Conference

Conference	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2025
Country/Territory	United States
City	Hybrid, Albuquerque
Period	29/04/25 → 4/05/25

Access to Document

10.18653/v1/2025.naacl-long.88

Cite this

Mu, H., He, H., Zhou, Y., Feng, Y., Xu, Y., Qin, L., Shi, X., Liu, Z., Han, X., Shi, Q., Zhu, Q., & Che, W. (2025). Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring. In L. Chiruzzo, A. Ritter, & L. Wang (Eds.), Long Papers (pp. 1784-1799). (Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025; Vol. 1). Association for Computational Linguistics (ACL). https://doi.org/10.18653/v1/2025.naacl-long.88

Mu, Honglin ; He, Han ; Zhou, Yuxin et al. / Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring. Long Papers. editor / Luis Chiruzzo ; Alan Ritter ; Lu Wang. Association for Computational Linguistics (ACL), 2025. pp. 1784-1799 (Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025).

@inproceedings{887447216afa4455b5fa09b374bf9fe8,

title = "Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring",

abstract = "Large language model (LLM) safety is a critical issue, with numerous studies employing red team testing to enhance model security. Among these, jailbreak methods explore potential vulnerabilities by crafting malicious prompts that induce model outputs contrary to safety alignments. Existing black-box jailbreak methods often rely on model feedback, repeatedly submitting queries with detectable malicious instructions during the attack search process. Although these approaches are effective, the attacks may be intercepted by content moderators during the search process. We propose an improved transfer attack method that guides malicious prompt construction by locally training a mirror model of the target black-box model through benign data distillation. This method offers enhanced stealth, as it does not involve submitting identifiable malicious instructions to the target model during the search phase. Our approach achieved a maximum attack success rate of 92\%, or a balanced value of 80\% with an average of 1.5 detectable jailbreak queries per sample against GPT-3.5 Turbo on a subset of AdvBench. These results underscore the need for more robust defense mechanisms.",

author = "Honglin Mu and Han He and Yuxin Zhou and Yunlong Feng and Yang Xu and Libo Qin and Xiaoming Shi and Zeming Liu and Xudong Han and Qi Shi and Qingfu Zhu and Wanxiang Che",

note = "Publisher Copyright: {\textcopyright} 2025 Association for Computational Linguistics.; 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2025 ; Conference date: 29-04-2025 Through 04-05-2025",

year = "2025",

doi = "10.18653/v1/2025.naacl-long.88",

language = "英语",

series = "Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025",

publisher = "Association for Computational Linguistics (ACL)",

pages = "1784--1799",

editor = "Luis Chiruzzo and Alan Ritter and Lu Wang",

booktitle = "Long Papers",

address = "澳大利亚",

}

Mu, H, He, H, Zhou, Y, Feng, Y, Xu, Y, Qin, L, Shi, X, Liu, Z, Han, X, Shi, Q, Zhu, Q & Che, W 2025, Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring. in L Chiruzzo, A Ritter & L Wang (eds), Long Papers. Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025, vol. 1, Association for Computational Linguistics (ACL), pp. 1784-1799, 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2025, Hybrid, Albuquerque, United States, 29/04/25. https://doi.org/10.18653/v1/2025.naacl-long.88

Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring. / Mu, Honglin; He, Han; Zhou, Yuxin et al.
Long Papers. ed. / Luis Chiruzzo; Alan Ritter; Lu Wang. Association for Computational Linguistics (ACL), 2025. p. 1784-1799 (Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring

AU - Mu, Honglin

AU - He, Han

AU - Zhou, Yuxin

AU - Feng, Yunlong

AU - Xu, Yang

AU - Qin, Libo

AU - Shi, Xiaoming

AU - Liu, Zeming

AU - Han, Xudong

AU - Shi, Qi

AU - Zhu, Qingfu

AU - Che, Wanxiang

PY - 2025

Y1 - 2025

N2 - Large language model (LLM) safety is a critical issue, with numerous studies employing red team testing to enhance model security. Among these, jailbreak methods explore potential vulnerabilities by crafting malicious prompts that induce model outputs contrary to safety alignments. Existing black-box jailbreak methods often rely on model feedback, repeatedly submitting queries with detectable malicious instructions during the attack search process. Although these approaches are effective, the attacks may be intercepted by content moderators during the search process. We propose an improved transfer attack method that guides malicious prompt construction by locally training a mirror model of the target black-box model through benign data distillation. This method offers enhanced stealth, as it does not involve submitting identifiable malicious instructions to the target model during the search phase. Our approach achieved a maximum attack success rate of 92%, or a balanced value of 80% with an average of 1.5 detectable jailbreak queries per sample against GPT-3.5 Turbo on a subset of AdvBench. These results underscore the need for more robust defense mechanisms.

AB - Large language model (LLM) safety is a critical issue, with numerous studies employing red team testing to enhance model security. Among these, jailbreak methods explore potential vulnerabilities by crafting malicious prompts that induce model outputs contrary to safety alignments. Existing black-box jailbreak methods often rely on model feedback, repeatedly submitting queries with detectable malicious instructions during the attack search process. Although these approaches are effective, the attacks may be intercepted by content moderators during the search process. We propose an improved transfer attack method that guides malicious prompt construction by locally training a mirror model of the target black-box model through benign data distillation. This method offers enhanced stealth, as it does not involve submitting identifiable malicious instructions to the target model during the search phase. Our approach achieved a maximum attack success rate of 92%, or a balanced value of 80% with an average of 1.5 detectable jailbreak queries per sample against GPT-3.5 Turbo on a subset of AdvBench. These results underscore the need for more robust defense mechanisms.

UR - https://www.scopus.com/pages/publications/105027436212

U2 - 10.18653/v1/2025.naacl-long.88

DO - 10.18653/v1/2025.naacl-long.88

M3 - 会议稿件

AN - SCOPUS:105027436212

T3 - Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025

SP - 1784

EP - 1799

BT - Long Papers

A2 - Chiruzzo, Luis

A2 - Ritter, Alan

A2 - Wang, Lu

PB - Association for Computational Linguistics (ACL)

T2 - 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2025

Y2 - 29 April 2025 through 4 May 2025

ER -

Mu H, He H, Zhou Y, Feng Y, Xu Y, Qin L et al. Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring. In Chiruzzo L, Ritter A, Wang L, editors, Long Papers. Association for Computational Linguistics (ACL). 2025. p. 1784-1799. (Proceedings of the 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies: Long Papers, NAACL-HLT 2025). doi: 10.18653/v1/2025.naacl-long.88

Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this