{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T07:03:04Z","timestamp":1782975784781,"version":"3.54.5"},"reference-count":109,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62532016,6257071391,62502309"],"award-info":[{"award-number":["62532016,6257071391,62502309"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003395","name":"Shanghai Municipal Education Commission","doi-asserted-by":"publisher","award":["ZXDF030140"],"award-info":[{"award-number":["ZXDF030140"]}],"id":[{"id":"10.13039\/501100003395","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00107","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"118-137","source":"Crossref","is-referenced-by-count":0,"title":["SoK: Robustness in Large Language Models against Jailbreak Attacks"],"prefix":"10.1109","author":[{"given":"Feiyue","family":"Xu","sequence":"first","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hongsheng","family":"Hu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Chaoxiang","family":"He","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sheng","family":"Hang","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hanqing","family":"Hu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xiuming","family":"Liu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yubo","family":"Zhao","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhengyan","family":"Zhou","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bin Benjamin","family":"Zhu","sequence":"additional","affiliation":[{"name":"Microsoft Corporation"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shi-Feng","family":"Sun","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dawu","family":"Gu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University,China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","author":"Alon","year":"2023","journal-title":"Detecting language model attacks with perplexity"},{"key":"ref2","article-title":"Jailbreaking leading safety-aligned 11 ms with simple adaptive attacks","author":"Andriushchenko","year":"2025","journal-title":"ICLR"},{"key":"ref3","volume-title":"Claude 3.7 sonnet system card","year":"2025"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.401"},{"key":"ref5","author":"Bai","year":"2022","journal-title":"Constitutional ai: Harmlessness from ai feedback"},{"key":"ref6","article-title":"Safety-tuned llamas: Lessons from improving the safety of large language models that follow instructions","author":"Bianchi","year":"2024","journal-title":"ICLR"},{"key":"ref7","author":"Boreiko","year":"2024","journal-title":"A realistic threat model for large language model jailbreaks"},{"key":"ref8","author":"Brown","year":"2024","journal-title":"Self-evaluation as a defense against adversarial attacks on 11 ms"},{"key":"ref9","author":"Cao","year":"2025","journal-title":"Safedialbench: A fine-grained safety benchmark for large language models in multi-turn dialogues with diverse jailbreak attacks"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/s10916-023-01925-4"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.52202\/079017-1745"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SaTML64287.2025.00010"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1045"},{"key":"ref14","article-title":"Safe rlhf: Safe reinforcement learning from human feedback","author":"Dai","year":"2024","journal-title":"ICLR"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1038\/s41586-025-09422-z"},{"key":"ref16","article-title":"Multilingual jailbreak challenges in large language models","author":"Deng","year":"2024","journal-title":"ICLR"},{"key":"ref17","author":"Derczynski","year":"2024","journal-title":"garak: A framework for security probing large language models"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.118"},{"key":"ref19","article-title":"A comprehensive survey of attack techniques, implementation, and mitigation strategies in large language models","author":"Esmradi","year":"2023","journal-title":"UbiSec"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1037\/h0031619"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1233"},{"key":"ref22","volume-title":"Gemini-2.0-flash documents","year":"2025"},{"key":"ref23","author":"Grattafiori","year":"2024","journal-title":"The llama 3 herd of models"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.70777\/si.v2i3.15159"},{"key":"ref25","first-page":"16974","article-title":"Cold-attack: Jailbreaking 11 ms with stealthiness and controllability","volume-title":"ICML","author":"Guo","year":"2024"},{"key":"ref26","volume-title":"Concentration in the steel industry","author":"Herfindahl","year":"1997"},{"key":"ref27","author":"Huang","year":"2025","journal-title":"Dualbreach: Efficient dual-jailbreaking via target-driven initialization and multi-target optimization"},{"key":"ref28","author":"Hughes","year":"2024","journal-title":"Best-of-n jailbreaking"},{"key":"ref29","author":"Inan","year":"2023","journal-title":"Llama guard: Llmbased input-output safeguard for human-ai conversations"},{"key":"ref30","author":"Jaech","year":"2024","journal-title":"Openai o1 system card"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2884"},{"key":"ref32","author":"Jiang","year":"2023","journal-title":"Mistral 7b"},{"key":"ref33","article-title":"Artprompt: Ascii art-based jailbreak attacks against aligned 11 ms","author":"Jiang","year":"2024","journal-title":"ACL"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1016\/j.lindif.2023.102274"},{"key":"ref35","author":"Koulako","year":"2024","journal-title":"h4rm31: A dynamic benchmark of composable jailbreak attacks for llm safety assessment"},{"key":"ref36","article-title":"Certifying llm safety against adversarial prompting","author":"Kumar","year":"2024","journal-title":"COLM"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v39i26.34953"},{"key":"ref38","article-title":"One model transfer to all: On robust jailbreak prompts generation against 11 ms","author":"Li","year":"2025","journal-title":"ICLR"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.813"},{"key":"ref40","author":"Li","year":"2023","journal-title":"Deepinception: Hypnotize large language model to be jailbreaker"},{"key":"ref41","volume-title":"Alpacaeval: An automatic evaluator of instruction-following models","author":"Li","year":"2023"},{"key":"ref42","article-title":"Amplegcg: Learning a universal and transferable generative model of adversarial suffixes for jailbreaking both open and closed 11ms","author":"Liao","year":"2024","journal-title":"COLM"},{"key":"ref43","author":"Liu","year":"2024","journal-title":"Deepseek-v3 technical report"},{"key":"ref44","author":"Liu","year":"2024","journal-title":"Jailjudge: A comprehensive jailbreak judge benchmark with multi-agent enhanced explanation evaluation framework"},{"key":"ref45","article-title":"AutoDAN-turbo: A lifelong agent for strategy self-exploration to jailbreak LLMs","author":"Liu","year":"2025","journal-title":"ICLR"},{"key":"ref46","article-title":"Autodan: Generating stealthy jailbreak prompts on aligned large language models","author":"Liu","year":"2024","journal-title":"ICLR"},{"key":"ref47","author":"Liu","year":"2025","journal-title":"Autort: Automatic jailbreak strategy exploration for red-teaming large language models"},{"key":"ref48","author":"Liu","year":"2024","journal-title":"Flipattack: Jailbreak 11 ms via flipping"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1561\/3300000051"},{"key":"ref50","first-page":"872","article-title":"You can\u2019t eat your cake and have it too: The performance degradation of 11 ms with jailbreak defense","author":"Mai","year":"2025","journal-title":"WWW"},{"key":"ref51","first-page":"35181","article-title":"Harmbench: A standardized evaluation framework for automated red teaming and robust refusal","author":"Mazeika","year":"2024","journal-title":"ICML"},{"key":"ref52","first-page":"61065","article-title":"Tree of attacks: Jailbreaking black-box 11 ms automatically","volume":"37","author":"Mehrotra","year":"2024","journal-title":"NIPS"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2049"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.52202\/079017-3910"},{"key":"ref55","year":"2022","journal-title":"Zvi Mowshowitz."},{"key":"ref56","author":"Lopez Munoz","year":"2024","journal-title":"Pyrit: A framework for security risk identification and red teaming in generative ai system"},{"key":"ref57","author":"Niu","year":"2024","journal-title":"Jailbreaking attack against multimodal large language model"},{"key":"ref58","volume-title":"gpt-3.5-turbo system card","year":"2023"},{"key":"ref59","volume-title":"How we think about safety and alignment","year":"2025"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.52202\/068431-2011"},{"key":"ref61","author":"Peng","year":"2024","journal-title":"Jailbreaking and mitigation of vulnerabilities in large language models"},{"key":"ref62","article-title":"Safety alignment should be made more than just a few tokens deep","author":"Qi","year":"2025","journal-title":"ICLR"},{"key":"ref63","volume-title":"Qwen-2.5-max technical report","year":"2025"},{"key":"ref64","author":"Ran","year":"2024","journal-title":"Jailbreakeval: An integrated toolkit for evaluating jailbreak attempts against large language models"},{"key":"ref65","article-title":"Tricking llms into disobedience: Formalizing, analyzing, and detecting jailbreaks","author":"Rao","year":"2023","journal-title":"LREC"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.679"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.acl-long.1207"},{"key":"ref68","author":"Robey","year":"2023","journal-title":"Pappas. Smoothllm: Defending large language models against jailbreaking attacks"},{"key":"ref69","author":"Roziere","year":"2023","journal-title":"Code llama: Open foundation models for code"},{"key":"ref70","first-page":"2421","article-title":"Great, now write an article about that: The crescendo multi-turn 11 m jailbreak attack","author":"Russinovich","year":"2025","journal-title":"USENIX Security"},{"key":"ref71","author":"Shen","year":"2025","journal-title":"Pandaguard: Systematic evaluation of 11 m safety against jailbreaking attacks"},{"key":"ref72","first-page":"1671","article-title":"do anything now\u201d: Characterizing and evaluating in-thewild jailbreak prompts on large language models","author":"Shen","year":"2024","journal-title":"ACM SIGSAC"},{"key":"ref73","author":"Sitawarin","year":"2024","journal-title":"Pal: Proxy-guided black-box attack on large language models"},{"key":"ref74","first-page":"20166","article-title":"Trustllm: Trustworthiness in large language models","author":"Sun","year":"2024","journal-title":"ICML"},{"key":"ref75","first-page":"1","article-title":"Jailbreak attacks on large language models and possible defenses: Present status and future possibilities","author":"Surur","year":"2024","journal-title":"ISTAS"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.52202\/075280-1361"},{"key":"ref77","author":"Wang","year":"2024","journal-title":"Mrj-agent: An effective jailbreak agent for multi-round dialogue"},{"key":"ref78","first-page":"8696","article-title":"Hoi. Codet5: Identifier-aware unified pre-trained encoder-decoder models for code understanding and generation","author":"Wang","year":"2021","journal-title":"Association for Computational Linguistics (ACL)"},{"key":"ref79","author":"Wulf","year":"2024","journal-title":"Exploring the potential of large language models for automation in technical customer service"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-023-00765-8"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.303"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.52202\/079017-1012"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.443"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3696410.3714654"},{"key":"ref85","author":"Yang","year":"2025","journal-title":"Qwen3 technical report"},{"key":"ref86","author":"Yang","year":"2024","journal-title":"Qwen2. 5 technical report"},{"key":"ref87","article-title":"Cannot see the forest for the trees: Invoking heuristics and biases to elicit irrational choices of 11 ms","author":"Yang","year":"2025","journal-title":"ICML"},{"key":"ref88","author":"Yang","year":"2025","journal-title":"Enhancing model defense against jailbreaks with proactive safety reasoning"},{"key":"ref89","author":"Yang","year":"2024","journal-title":"Benchmarking 11 m guardrails in handling multilingual toxicity"},{"key":"ref90","author":"Yi","year":"2024","journal-title":"Jailbreak attacks and defenses against large language models: A survey"},{"key":"ref91","author":"Yu","year":"2023","journal-title":"Gptfuzzer: Red teaming large language models with auto-generated jailbreak prompts"},{"key":"ref92","first-page":"4675","article-title":"Don\u2019t listen to me: Understanding and exploring jailbreak prompts of large language models","author":"Yu","year":"2024","journal-title":"USENIX Security"},{"key":"ref93","article-title":"Gpt-4 is too smart to be safe: Stealthy chat with 11 ms via cipher","author":"Yuan","year":"2023","journal-title":"ICLR"},{"key":"ref94","first-page":"14322","article-title":"How johnny can persuade llms to jailbreak them: Rethinking persuasion to challenge ai safety by humanizing 11 ms","author":"Zeng","year":"2024","journal-title":"ACL"},{"key":"ref95","author":"Zeng","year":"2024","journal-title":"Autodefense: Multi-agent 11 m defense against jailbreak attacks"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/3715318"},{"key":"ref97","article-title":"Jbshield: defending large language models from jailbreak attacks through activated concept analysis and manipulation","author":"Zhang","year":"2025","journal-title":"USENIX Security"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49660.2025.10888812"},{"key":"ref99","author":"Zhang","year":"2025","journal-title":"Aisafetylab: A comprehensive framework for ai safety evaluation and improvement"},{"key":"ref100","author":"Zhang","year":"2024","journal-title":"From theft to bombmaking: The ripple effect of unlearning in defending against jailbreak attacks"},{"key":"ref101","article-title":"Cheating automatic 1lm benchmarks: Null models achieve high win rates","author":"Zheng","year":"2025","journal-title":"ICLR"},{"key":"ref102","author":"Zhou","year":"2025","journal-title":"Tempest: Autonomous multi-turn jailbreaking of large language models with tree search"},{"key":"ref103","author":"Zhou","year":"2024","journal-title":"Easyjailbreak: A unified framework for jailbreaking large language models"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-acl.1294"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.139"},{"key":"ref106","author":"Zizzo","year":"2025","journal-title":"Adversarial prompt evaluation: Systematic benchmarking of guardrails against prompt input attacks on 1 lms"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.52202\/079017-2651"},{"key":"ref108","author":"Zou","year":"2023","journal-title":"Universal and transferable adversarial attacks on aligned language models"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2025.findings-acl.298"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573543.pdf?arnumber=11573543","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:34:47Z","timestamp":1782970487000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573543\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":109,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00107","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}