The Trojan Knowledge: Bypassing Commercial LLM Guardrails via Harmless Prompt Weaving and Adaptive Tree Search
特洛伊木马的知识：通过无害的提示编织和自适应树搜索绕过商业 LLM 防护措施

LLM Jailbreaking. We formally define LLM jailbreaking as an adversarial task. The threat model centers on an adversary attempting to achieve a Harmful Objective (h), which is a natural-language description of a forbidden goal drawn from a space of such objectives $\mathcal{H}$. The adversary is aiming to attack a Target LLM $\mathcal{M}_{\text{target}}$, which we define as a black-box function $\mathcal{M}_{\text{target}}:\mathcal{X}\mapsto\mathcal{Y}$ mapping inputs from the prompt space $\mathcal{X}$ to responses in the output space $\mathcal{Y}$. We mainly focus on advanced LLMs, treating them as black-box systems without access to internal parameters or training data, and we assume that $\mathcal{M}_{\text{target}}$ is equipped with robust safety guardrails designed to refuse requests corresponding to any $h\in\mathcal{H}$. To circumvent these defenses, the adversary employs an Attack Mechanism $\mathcal{A}$. We define $\mathcal{A}(h;\mathcal{M}_{\text{target}})$ in the most general sense as any process that, given a harmful objective $h$, interacts with the target model $\mathcal{M}_{\text{target}}$ (potentially over multiple rounds) to produce a final output $y_{\text{final}}\in\mathcal{Y}$. The success of this output is then evaluated by a Judge Function $J$, where $J:\mathcal{Y}\times\mathcal{H}\rightarrow\mathcal{R}$ assigns a score from a categorical evaluation space $\mathcal{R}$ (e.g., $\{\text{Success},\text{Failure}\}$) to $y_{\text{final}}$ based on its fulfillment of $h$.
LLM 越狱。 我们将 LLM 越狱正式定义为一个对抗性任务。威胁模型的核心是攻击者试图实现一个有害目标 (h) ，该目标是一个从目标空间 $\mathcal{H}$ 中选取的禁止目标的自然语言描述。攻击者的目标是攻击目标 LLM ℳtarget\mathcal{M}_{\text{target}}，我们将其定义为一个黑盒函数 $\mathcal{M}_{\text{target}}:\mathcal{X}\mapsto\mathcal{Y}$ ，它将提示空间 $\mathcal{X}$ 中的输入映射到输出空间 $\mathcal{Y}$ 中的响应。我们主要关注高级 LLM，将其视为无法访问内部参数或训练数据的黑盒系统，并假设 $\mathcal{M}_{\text{target}}$ 配备了强大的安全防护措施，旨在拒绝对应于任何 $h\in\mathcal{H}$ 的请求。为了绕过这些防御措施，攻击者采用了一种攻击机制 $\mathcal{A}$ 。我们将 $\mathcal{A}(h;\mathcal{M}_{\text{target}})$ 定义为最广义上的任何过程，该过程给定一个有害目标 $h$ ，并与目标模型 $\mathcal{M}_{\text{target}}$ （可能经过多轮）交互，以产生最终输出 $y_{\text{final}}\in\mathcal{Y}$ 。然后，由评判函数 $J$ 评估该输出的成功程度，其中 $J:\mathcal{Y}\times\mathcal{H}\rightarrow\mathcal{R}$ 根据 $y_{\text{final}}$ 是否满足 $h$ ，从分类评估空间 $\mathcal{R}$ （例如， $\{\text{Success},\text{Failure}\}$ ）中为其分配一个分数。

Jailbreaking as a Reasoning Directed Acyclic Graph (DAG) Exploration Problem. We conceptualize the jailbreak task as the construction and exploration of a reasoning DAG rooted in the target LLM’s implicit knowledge. Specifically, extracting a harmful answer from $\mathcal{M}_{\mathrm{target}}$ is modeled as traversing a latent graph $\mathcal{G}=(\mathcal{V},\mathcal{E})$, defined as follows:
越狱问题可视为推理有向无环图（DAG）探索问题。 我们将越狱任务概念化为构建和探索一个基于目标 LLM 隐含知识的推理 DAG 。具体而言，从 $\mathcal{M}_{\mathrm{target}}$ 中提取有害答案被建模为遍历一个潜在图 $\mathcal{G}=(\mathcal{V},\mathcal{E})$ ，其定义如下：

• •

  Nodes ($\mathcal{V}$): We view each node $v\in\mathcal{V}$ as representing a semantic equivalence class of a query–answer pair $(q,a)$. The set $\mathcal{V}$ comprises three types: (i) A root node $v_{0}$, corresponding to the initial harmful objective $h$, viewed as a special pair $(q=h,a=\varnothing)$. (ii) Intermediate nodes $v_{i}\in\mathcal{V}_{\mathrm{inter}}$, each representing an equivalence class of a implicit correlated knowledge in the form of query–response pair $(q,a)$ (e.g., $q=$ “What are the core components of a bomb?”, $a=$ “The core component of a modern bomb is TNT.”). (iii) A terminal answer node $v_{\mathrm{ans}}$, representing the synthesized harmful response satisfying $h$, modeled as a special pair $(q=\varnothing,a=a_{\text{harm}})$. Although $a_{\text{harm}}$ may be reachable through multiple distinct reasoning paths or combinations of intermediate subfacts, all such realizations belong to the same semantic equivalence class associated with the target harmful objective.

  Report issue for preceding element
  
  • 节点 ( $\mathcal{V}$ )：我们将每个节点 $v\in\mathcal{V}$ 视为查询-答案对 $(q,a)$ 的一个语义等价类。集合 $\mathcal{V}$ 包含三种类型：(i) 根节点 $v_{0}$ ，对应于初始有害目标 $h$ ，被视为一个特殊对 $(q=h,a=\varnothing)$ 。(ii) 中间节点 $v_{i}\in\mathcal{V}_{\mathrm{inter}}$ ，每个节点代表一个隐式相关知识的等价类，该知识以查询-响应对 $(q,a)$ 的形式呈现（例如， $q=$ “炸弹的核心部件是什么？”， $a=$ “现代炸弹的核心部件是 TNT。”）。(iii) 终端答案节点 $v_{\mathrm{ans}}$ ，代表满足 $h$ 的合成有害响应，建模为一个特殊对 $(q=\varnothing,a=a_{\text{harm}})$ 。尽管 $a_{\text{harm}}$ 可以通过多个不同的推理路径或中间子事实的组合到达，但所有这些实现都属于与目标有害目标关联的同一个语义等价类。
• •

  Edges ($\mathcal{E}$): These represent the inferential dependencies governing the exploration process. An edge $(v_{i}\to v_{j})$ signifies that the knowledge acquired at $v_{i}$ serves as a logical prerequisite or contextual foundation for formulating the query for $v_{j}$. Thus, traversing these edges delineates a coherent chain of progress toward the final malicious goal.

  Report issue for preceding element
  
  • 边（ $\mathcal{E}$ ）：这些边代表支配探索过程的推理依赖关系。边 $(v_{i}\to v_{j})$ 表示在 $v_{i}$ 获取的知识是构建查询 $v_{j}$ 的逻辑前提或上下文基础。因此，遍历这些边描绘出一条通往最终恶意目标的连贯路径。

Under this framework, any jailbreak mechanism $\mathcal{A}$ corresponds to discovering a path $\mathcal{P}=(v_{0}\rightarrow\cdots\rightarrow v_{\mathrm{ans}})$ within the latent reasoning DAG $\mathcal{G}$. Critically, within a knowledge-rich target LLM, $\mathcal{G}$ is densely connected, offering multiple distinct paths to reach $v_{\mathrm{ans}}$ (e.g., different chemical synthesis processes for TNT). However, because the adversary can only interact with $\mathcal{M}_{\mathrm{target}}$ through black-box queries, this latent DAG is not directly observable. Instead, each interaction conditionally expands a concrete reasoning trajectory based on previously elicited responses, implicitly unrolling the latent DAG into a tree-structured search space. As a result, the jailbreak process necessarily unfolds as a branching tree. This formulation naturally supports progressive decomposition, hypothesis branching, and selective exploration, properties that have long underpinned effective solutions in planning and search problems. Motivated by this insight, CKA-Agent explicitly operationalizes jailbreaking as a structured tree search process, systematically expanding and prioritizing reasoning branches through iterative interaction, thereby transforming abstract latent graph traversal into a tractable and controllable search procedure.
在此框架下，任何越狱机制 $\mathcal{A}$ 对应于在潜在推理有向无环图 $\mathcal{G}$ 中发现一条路径 $\mathcal{P}=(v_{0}\rightarrow\cdots\rightarrow v_{\mathrm{ans}})$ 。关键在于，在知识丰富的目标 LLM 中， $\mathcal{G}$ 是密集连接的，提供了多条到达 $v_{\mathrm{ans}}$ 的不同路径（例如，TNT 的不同化学合成工艺）。然而，由于攻击者只能通过黑盒查询与 $\mathcal{M}_{\mathrm{target}}$ 交互，因此该潜在 DAG 无法直接观察。相反，每次交互都会根据先前获得的响应有条件地扩展一条具体的推理轨迹，从而隐式地将潜在 DAG 展开成一个树状结构的搜索空间。因此，越狱过程必然会展开成一棵分支树。这种形式自然地支持渐进分解、假设分支和选择性探索，这些特性长期以来一直是规划和搜索问题有效解决方案的基础。受此启发，CKA-Agent 将越狱明确地操作化为一个结构化的树搜索过程，通过迭代交互系统地扩展和优先考虑推理分支，从而将抽象的潜在图遍历转化为一个易于处理和控制的搜索过程。

To explore the latent reasoning DAG $\mathcal{G}$, the CKA-Agent framework progressively constructs a dynamic search tree $\mathcal{T}$ that concretely maps the attack trajectory. Nodes (Knowledge States): Each node $v\in\mathcal{T}$ represents a specific state of acquired knowledge, encapsulating a semantic equivalence class of a query-response pair $(x_{v},y_{v})$ defined by a locally innocuous sub-query $x_{v}$ and the target LLM’s response $y_{v}$. Crucially, each node also maintains the complete ancestral trajectory from the root, providing the historical context necessary for reasoning, along with visit statistics (e.g., the number of times a node has been visited and its accumulated value estimate used for UCB-based selection) to guide the search algorithm. Edges (Expansion Actions): Connecting these nodes, an edge $(v,v^{\prime})$ signifies a directed exploration action: the agent’s decision to advance from state $v$ by formulating a new sub-query $x_{v^{\prime}}$ based on the information retrieved in $y_{v}$, thereby extending the reasoning chain closer to the harmful objective.
为了探索潜在推理有向无环图（DAG） $\mathcal{G}$ ，CKA-Agent 框架逐步构建动态搜索树 $\mathcal{T}$ ，该搜索树具体地映射了攻击轨迹。 节点（知识状态）： 每个节点 $v\in\mathcal{T}$ 代表一种特定的已获取知识状态，封装了由局部无害子查询 $x_{v}$ 和目标 LLM 的响应 $y_{v}$ 定义的查询-响应对 $(x_{v},y_{v})$ 的语义等价类。至关重要的是，每个节点还维护着从根节点开始的完整祖先轨迹，提供推理所需的历史上下文，以及访问统计信息（例如，节点的访问次数及其用于基于 UCB 的选择的累积值估计），以指导搜索算法。 边（扩展动作）： 连接这些节点的边 $(v,v^{\prime})$ 表示有向探索动作：智能体决定从状态 $v$ 出发，根据在 $y_{v}$ 中检索到的信息，制定新的子查询 $x_{v^{\prime}}$ ，从而扩展推理链，使其更接近有害目标。

The dynamic construction of $\mathcal{T}$ is orchestrated through the interaction of four core components. The Attack Agent (Dynamic Decomposer and Synthesizer): Serving as the central planning engine (typically powered by an open-source LLM), this module performs dynamic decompositions conditioned on the current node’s history to generate the next innocuous sub-query. Crucially, it employs an adaptive branching strategy to propose multiple potential correlated sub-queries (child nodes) in parallel. Upon determining that sufficient information has been gathered, the agent functions as a synthesizer $f_{\text{syn}}$, aggregating the accumulated “piece knowledge” along the current path into a candidate final answer $y_{\text{final}}=f_{\text{syn}}(\text{trajectory})$. The Target Model (Environment): The target LLM $\mathcal{M}_{\mathrm{target}}$ serves as the subject of the jailbreak attempt, characterized by its rich internal correlated knowledge. It receives the agent’s sub-queries and provides responses $y_{v}=\mathcal{M}_{\mathrm{target}}(x_{v})$ that serve as ground-truth “internal knowledge” that can be leveraged for the attacker’s subsequent planning. The Evaluator (Node Critic): To ensure efficient exploration, this module evaluates the quality of each intermediate node, specifically assessing both the generated sub-query and the corresponding target response. The evaluator is implemented as an additional LLM (in our experiments instantiated by the same model as the attacker) and assigns an immediate reward score $f_{v}\in\mathbb{R}$ to prioritize high-value branches for deeper exploration. The Online Judge: Distinct from the node critic, the judge function $J$ assesses the correctness of the synthesized final response. If the synthesis successfully fulfills the harmful objective, the judge signals termination; otherwise, the system initiates the next iteration of exploration.
$\mathcal{T}$ 的动态构建是通过四个核心组件的交互来实现的。 攻击代理（动态分解器和合成器）： 作为中央规划引擎（通常由开源 LLM 驱动），该模块根据当前节点的历史记录执行动态分解，以生成下一个无害的子查询。关键在于，它采用自适应分支策略并行地提出多个潜在的相关子查询（子节点）。在确定已收集到足够的信息后，代理充当合成器 $f_{\text{syn}}$ ，将沿当前路径累积的“碎片知识”聚合为候选最终答案 $y_{\text{final}}=f_{\text{syn}}(\text{trajectory})$ 。 目标模型（环境）： 目标 LLM $\mathcal{M}_{\mathrm{target}}$ 作为越狱尝试的对象，其特征在于其丰富的内部相关知识。它接收代理的子查询并提供响应 $y_{v}=\mathcal{M}_{\mathrm{target}}(x_{v})$ ，这些响应作为真实“内部知识”，可供攻击者用于后续规划。 评估器（节点评论器）： 为了确保高效探索，该模块评估每个中间节点的质量，具体而言，它会评估生成的子查询和相应的目标响应。评估器以附加的 LLM 形式实现（在我们的实验中，它由与攻击者相同的模型实例化），并立即分配一个奖励分数 $f_{v}\in\mathbb{R}$ ，以优先考虑高价值分支进行更深入的探索。 在线评判器： 与节点评判器不同，评判器函数 $J$ 评估合成的最终响应的正确性。如果合成成功实现了有害目标，评判器发出终止信号；否则，系统启动下一轮探索。

The CKA-Agent operationalizes the framework in Sec. 3.2 through an iterative algorithm that dynamically expands the search tree $\mathcal{T}$. Unlike traditional Monte Carlo Tree Search (MCTS), which relies on random rollouts, our approach performs a simulation-free exploration cycle: each iteration selects a promising frontier node via the Upper Confidence Bound for Trees (UCT) [kocsis2006bandit] and immediately executes a continuous depth-first expansion until a terminal state (node) is reached. This design ensures that every iteration produces an actionable outcome, i.e. either a successful synthesis candidate or a confirmed failure, before backpropagating statistics. The algorithm iterates until a successful jailbreak is achieved (verified by the online judge $J$), the maximum iteration limit $T_{\max}$ is reached, or the tree is fully explored. The complete process, illustrated in Fig. 2, consists of three coordinated steps (see App. A, Alg. 1 for the full algorithm).
CKA-Agent 通过迭代算法实现第 3.2 节所述的框架，该算法动态扩展搜索树 $\mathcal{T}$ 。与依赖随机展开的传统蒙特卡洛树搜索 (MCTS) 不同，我们的方法执行一个无需模拟的探索循环：每次迭代都通过树的置信上限 (UCT) [ kocsis2006bandit ] 选择一个有希望的前沿节点，并立即执行连续的深度优先扩展，直到到达终止状态（节点）。这种设计确保每次迭代在反向传播统计数据之前都能产生可操作的结果，即合成成功的候选节点或确认失败的节点。算法迭代执行，直到成功越狱（由在线评测系统 $J$ 验证）、达到最大迭代次数限制 $T_{\max}$ 或树被完全探索。如图 2 所示，整个过程包含三个协调的步骤（完整算法见附录 A ，算法 1 ）。

The reasoning DAG formulation ($\mathcal{G}$) provides a principled lens to categorize CKA-Agent as well as existing jailbreak mechanisms in Fig. 3, as outlined in what follows.
推理 DAG 公式 ( $\mathcal{G}$ ) 提供了一个原则性的视角，用于对 CKA-Agent 以及图 3 中现有的越狱机制进行分类，如下所述。

(i) POA: from the reasoning DAG point of view, POA methods bypass the intermediate correlated knowledge nodes $\mathcal{V}_{\text{inter}}$ and focus exclusively on identifying a direct edge $(v_{0},v_{\text{ans}})$. Whether relying on traditional algorithmic search or agentic refinement, the fundamental goal is to optimize a prompt $x^{*}$ that directly elicits $h$. By disregarding the graph’s internal structure and attempting to bridge the gap in a single semantic step, these methods require the malicious intent to be explicitly encoded in $x^{*}$, making this direct edge highly vulnerable to detection and filtering by modern guardrails.
(i) POA： 从推理 DAG 的角度来看，POA 方法绕过了中间的关联知识节点 $\mathcal{V}_{\text{inter}}$ ，而只专注于识别直接边 $(v_{0},v_{\text{ans}})$ 。无论是依赖传统的算法搜索还是智能体优化，其根本目标都是优化一个能够直接引出 $h$ 的提示 $x^{*}$ 。这些方法忽略了图的内部结构，试图通过单个语义步骤来弥合差距，因此需要将恶意意图显式编码在 $x^{*}$ 中，这使得这条直接边极易受到现代安全机制的检测和过滤。

(ii) Static DAs: this class of methods operates by having an attack agent directly decompose the harmful objective into a sequence of harmless sub-queries. In the DAG view, this corresponds to establishing a static linear reasoning chain based solely on the attacker’s priors. However, this paradigm suffers from a fundamental paradox: if an adversary possesses sufficient domain expertise to accurately factorize a specialized objective (e.g., complex chemical synthesis) into reliable sequential queries to the harmful objective, the jailbreak itself becomes redundant. Conversely, in the most critical scenarios where the attacker lacks this knowledge, they are unable to formulate the correct factorization into dependent queries towards the final objective, rendering the method ineffective. Moreover, due to the static nature of the path, if any single node is blocked, the entire chain collapses without the ability to adaptively reroute.
(ii) 静态 DA： 这类方法通过攻击者直接将有害目标分解为一系列无害子查询来实现。在 DAG 图中，这相当于仅基于攻击者的先验知识建立一条静态线性推理链。然而，这种范式存在一个根本性的悖论：如果攻击者拥有足够的领域知识，能够准确地将特定目标（例如，复杂的化学合成）分解为指向有害目标的可靠序列查询，那么越狱本身就变得多余。反之，在攻击者缺乏此类知识的最关键场景中，他们无法构建指向最终目标的正确分解，从而导致该方法失效。此外，由于路径的静态特性，如果任何一个节点被阻塞，整个链就会崩溃，而无法自适应地重新路由。

(iii) CKA-Agent: in contrast with the previous two methods, CKA-Agent treats the DAG as a dynamic structure, progressively “unrolling” the graph structure based on real-time feedback rather than adhering to a fixed plan. This allows the agent to explore multiple potential pathways simultaneously and adaptively reroute to alternative branches if specific edges are blocked, ensuring robust connectivity to $v_{\mathrm{ans}}$.
(iii) CKA-Agent： 与前两种方法不同，CKA-Agent 将 DAG 视为动态结构，根据实时反馈逐步“展开”图结构，而不是遵循固定的计划。这使得代理能够同时探索多条潜在路径，并在特定边被阻塞时自适应地重新路由到其他分支，从而确保与 $v_{\mathrm{ans}}$ 的稳健连接。

CKA-Agent Substantially Outperforms Baselines Against Models with Strong Guardrails. Tab. 1 shows that as alignment strengthens, prompt-optimization methods degrade sharply: Vanilla drops from 15.1% FS on Gemini-2.5-Flash to 0.8% on Claude-Haiku-4.5, and PAIR falls from 90.5% FS on Gemini-2.5-Pro to 3.2% on Claude-Haiku-4.5 (82.7% $\rightarrow$ 4.9% on StrongREJECT). Multi-turn variants such as ActorBreaker and X-Teaming follow the same pattern, collapsing entirely on the most robust models. These trends indicate that, despite architectural differences, prompt-centric attacks continue to leak detectable signals of malicious intent that modern guardrails reliably suppress. In contrast, decomposition-based approaches remain highly resilient: Multi-Agent Jailbreak sustains 76–82% FS across all targets, over a twenty-fold improvement relative to PAIR on the strongest model. CKA-Agent achieves the best performance overall, obtaining 96–98% FS on both HarmBench and StrongREJECT and improving upon Multi-Agent Jailbreak by 15–21 percentage points. Its advantage arises from adaptive decomposition, conditioning each sub-query on prior responses and dynamically exploring correlated knowledge paths, thereby uncovering successful trajectories that bypass intent-triggered defenses. Overall, these results reveal a key weakness in current safety mechanisms: while optimized harmful prompts are reliably detected, adaptive decompositions that diffuse intent across coherent yet individually innocuous interactions remain difficult for even the strongest aligned models to neutralize.
CKA-Agent 在对抗具有强大防护机制的模型时，性能显著优于基线模型。 表 1 显示，随着对齐程度的提高，基于提示的优化方法性能急剧下降：Vanilla 的 FS 率从 Gemini-2.5-Flash 上的 15.1% 下降到 Claude-Haiku-4.5 上的 0.8%，PAIR 的 FS 率从 Gemini-2.5-Pro 上的 90.5% 下降到 Claude-Haiku-4.5 上的 3.2%（在 StrongREJECT 上为 82.7% 至 4.9%）。ActorBreaker 和 X-Teaming 等多轮攻击变体也遵循同样的模式，在最稳健的模型上完全失效。这些趋势表明，尽管架构存在差异，但以提示为中心的攻击仍然会泄露可检测的恶意意图信号，而现代防护机制能够可靠地抑制这些信号。相比之下，基于分解的方法仍然具有很强的鲁棒性：Multi-Agent Jailbreak 在所有目标上均保持 76%–82% 的全误识别率 (FS)，比最强模型上的 PAIR 提高了二十倍以上。CKA-Agent 的整体性能最佳，在 HarmBench 和 StrongREJECT 上均达到 96%–98% 的 FS，比 Multi-Agent Jailbreak 提高了 15%–21% 的 FS。其优势源于自适应分解，它根据先前的响应对每个子查询进行条件化，并动态探索相关的知识路径，从而发现绕过意图触发防御的成功路径。总的来说，这些结果揭示了当前安全机制的一个关键缺陷：虽然优化的有害提示能够被可靠地检测到，但即使是最强的对齐模型也难以抵消将意图分散到连贯但个体无害的交互中的自适应分解。

Existing Prompt- and Representation-Level Defenses Largely Fail Against Decomposition-Based Jailbreaks. We evaluate three categories of inference-time defenses: (i) detection-based filters (Llama Guard-3 [dubey2024llama3herdmodels]); (ii) mutation-based defenses, which employ rephrasing or character-level perturbations; and (iii) representation-based defenses, such as Circuit Breaker [zou2024improving], which suppresses harmful outputs by intervening at the internal representation level. Given our black-box setting, we utilize the official Circuit Breaker model as a standalone guardrail and omit perplexity-based filtering [alon2023detecting] due to the lack of logit access. As shown in Fig. 4, detection-based defenses and Circuit Breaker significantly reduce the success of optimization-based attacks such as AutoDAN, PAIR, PAP, ActorBreaker and TAP, indicating that conspicuously adversarial prompts are often interceptable. Conversely, mutation-based defenses offer only modest protection because modern LLMs are highly robust to minor lexical changes. Crucially, all prompt-level defenses struggle against multi-turn, decomposition-based attacks including X-Teaming, Multi-Agent Jailbreak, and CKA-Agent. For these methods, individual sub-queries often appear benign and are distributed across multiple turns or agents, rendering defenses that operate on isolated prompts inherently limited. We also observe slight increases in attack success for certain methods, potentially because rephrasing bypasses detection or Llama Guard’s refusals encourage more strategic exploration. Among all methods, Circuit Breaker remains the most effective against CKA-Agent, largely due to its approach of remapping representations associated with harmful processes. Furthermore, Circuit Breaker is notably effective against TAP, aligning with findings in [zou2024improving], likely because TAP relies on surface-level transformations like synonym substitution or role-play rather than obfuscating the underlying harmful intent detected at the representation level. Nevertheless, while representation-level control outperforms pure prompt-level defenses, existing mechanisms remain inadequate for multi-turn scenarios due to their limited ability to aggregate signals and infer intent across conversational contexts. Potential defense directions are further discussed in Sec. 4.5.
现有的提示层和表征层防御机制大多无法抵御基于分解的越狱攻击。 我们评估了三类推理时防御机制：（i） 基于检测的过滤器（Llama Guard-3 [ dubey2024llama3herdmodels ] ）；（ii） 基于变异的防御机制，采用重述或字符级扰动；以及（iii） 基于表征的防御机制，例如 Circuit Breaker [ zou2024improving ] ，它通过在内部表征层进行干预来抑制有害输出。鉴于我们的黑盒环境，我们使用官方的 Circuit Breaker 模型作为独立的防护机制，并由于缺乏对数信息（logit）的访问而省略了基于困惑度的过滤机制 [ alon2023detecting ] 。如图 4 所示，基于检测的防御和断路器机制显著降低了基于优化的攻击（例如 AutoDAN、PAIR、PAP、ActorBreaker 和 TAP）的成功率，表明明显带有对抗性的提示通常可以被拦截。相反，基于变异的防御仅能提供有限的保护，因为现代语言学习模型（LLM）对微小的词汇变化具有很高的鲁棒性。至关重要的是，所有提示级别的防御都难以抵御多轮次、基于分解的攻击，例如 X-Teaming、Multi-Agent Jailbreak 和 CKA-Agent。对于这些方法，单个子查询通常看起来无害，并且分布在多个轮次或代理中，这使得针对孤立提示的防御措施本质上存在局限性。 我们还观察到某些方法的攻击成功率略有提高，这可能是因为改写绕过了检测，或者 Llama Guard 的拒绝促使攻击者进行更具策略性的探索。在所有方法中，Circuit Breaker 仍然是对抗 CKA-Agent 最有效的方法，这主要归功于其重映射与有害进程相关的表征的方法。此外，Circuit Breaker 对 TAP 也表现出显著的有效性，这与 [ zou2024improving ] 中的发现一致，这可能是因为 TAP 依赖于诸如同义词替换或角色扮演之类的表面转换，而不是混淆在表征层面检测到的潜在有害意图。然而，尽管表征层面的控制优于纯粹的提示层面防御，但由于现有机制在聚合信号和推断跨对话上下文的意图方面的能力有限，因此仍然不足以应对多轮对话场景。潜在的防御方向将在第 4.5 节中进一步讨论。

Adaptive Branching Enables Progressive Improvement and Robustness. To assess the impact of adaptive branching, Fig. 5 reports cumulative success rates over up to five iterations for each dataset–model pair, with inset bar charts showing per-iteration gains. CKA-Agent achieves remarkably strong first-iteration performance (typically 80–95%), reflecting the effectiveness of its design: the agent leverages informative target feedback to guide branching, and the hybrid evaluator, combining introspection and target-feedback scores, reliably distinguishes meaningful knowledge extraction from refusals or low-information responses. Yet a single iteration is insufficient for a nontrivial subset of cases: some sub-queries may be flagged as borderline risky, while others yield incomplete content that cannot be synthesized. Adaptive branching remedies these failure modes. When synthesis fails, the UCT selection policy (Eq. 1) launches a new trajectory from the most promising unexplored node, bypassing blocked paths or filling missing knowledge. This iterative refinement produces steady gains: the second iteration adds 6–12% to the success rate, with later iterations providing smaller but still meaningful improvements. Across all dataset–model combinations, 92–95% of final successes occur within the first two iterations, confirming both the efficiency of the initial branching and the value of adaptive recovery. These results underscore that the tree-structured search is a central driver of robustness.
自适应分支实现了渐进式改进和鲁棒性。 为了评估自适应分支的影响，图 5 展示了每个数据集-模型组合最多五次迭代的累积成功率，插图柱状图显示了每次迭代的增益。CKA-Agent 在首次迭代中取得了非常出色的性能（通常为 80-95%），这反映了其设计的有效性：该代理利用信息丰富的目标反馈来指导分支，而结合了内省和目标反馈分数的混合评估器能够可靠地区分有意义的知识提取与拒绝或低信息响应。然而，对于相当一部分情况，单次迭代是不够的：一些子查询可能被标记为风险临界值，而另一些子查询则产生无法合成的不完整内容。自适应分支可以解决这些失败模式。当合成失败时，UCT 选择策略（公式 1 ）会从最有希望的未探索节点启动一条新的路径，绕过阻塞路径或填补缺失的知识。这种迭代改进带来了稳步提升：第二次迭代使成功率提高了 6% 至 12%，后续迭代虽然提升幅度较小，但仍然意义重大。在所有数据集-模型组合中，92% 至 95% 的最终成功都发生在最初两次迭代中，这既证实了初始分支的有效性，也体现了自适应恢复的价值。这些结果强调了树状结构搜索是模型鲁棒性的核心驱动因素。

CKA-Agent Demonstrates Superior Cost-Performance Trade-offs. We further examine the relationship between attack performance and resource consumption, measured by the number of API calls and total token usage per sample (including both target and judge models). Fig. 6 reports the results on Gemini-2.5-Flash. Across both API and token efficiency metrics, CKA-Agent achieves the highest attack success rate while maintaining moderate cost, clearly outperforming all baselines. This reflects the efficiency of its adaptive branching, which minimizes redundant queries and focuses exploration on promising knowledge paths. In contrast, other approaches either sacrifice performance to reduce cost or expend far more API calls and tokens without matching CKA-Agent’s effectiveness. Full results for other target models are provided in App. B.2.
CKA-Agent 展现出卓越的性价比。 我们进一步研究了攻击性能与资源消耗之间的关系，资源消耗以每个样本的 API 调用次数和总令牌使用量来衡量（包括目标模型和评判模型）。图 6 展示了在 Gemini-2.5-Flash 上的结果。在 API 和令牌效率指标方面，CKA-Agent 在保持适中成本的同时实现了最高的攻击成功率，明显优于所有基线方法。这反映了其自适应分支的高效性，该分支最大限度地减少了冗余查询，并将探索重点放在有希望的知识路径上。相比之下，其他方法要么为了降低成本而牺牲性能，要么消耗更多的 API 调用次数和令牌，却无法达到 CKA-Agent 的效率。其他目标模型的完整结果见附录 B.2 。

To assess the calibration of our LLM-as-Judge ASR metric, we recruited ten doctoral researchers specializing in Electrical Engineering and Computer Science (EECS) to conduct a human evaluation study. The study employed a between-subjects design on 40 randomly sampled prompt–response pairs (10 per category: FS, PS, V, R), with the evaluation session lasting two hours per annotator. Five annotators evaluated the pairs using only the prompt and response (No Reasoning Provided), while a distinct group of five evaluators assessed the same items with access to the judge model’s reasoning (With Reasoning Provided). As shown in Fig. 7, alignment with the LLM judge increases substantially, from a Spearman correlation of 0.52 in Condition 1 to 0.90 in Condition 2. Crucially, the high variance observed in the No Reasoning setting aligns with our dataset design, which intentionally targets high-stakes domains requiring specialized knowledge (e.g., Chemistry, Biology). Since our evaluators possess deep expertise in EECS but lack specific domain knowledge in these external fields, they exhibited difficulty and a leniency bias when assessing the technical actionability of the responses without guidance. Providing the judge model’s analytical reasoning effectively bridges this domain gap, leading human annotators to evaluations that closely track the LLM’s assessments. These findings confirm that when supported by relevant domain reasoning, the judge model aligns closely with expert human judgment.
为了评估我们基于 LLM 作为评判者的 ASR 指标的校准情况，我们招募了十位电气工程与计算机科学（EECS）领域的博士研究生进行人工评估研究。该研究采用被试间设计，选取了 40 个随机抽取的提示-反应对（每个类别 10 个：FS、PS、V、R），每位标注者的评估时间为两小时。五位标注者仅使用提示和反应进行评估（ 不提供推理 ），而另外五位评估者则在了解评判模型推理的情况下评估相同的项目（ 提供推理 ）。如图 7 所示，与 LLM 评判者的一致性显著提高，Spearman 相关系数从条件 1 的 0.52 提高到条件 2 的 0.90。至关重要的是，在 “不提供推理” 设置下观察到的高方差与我们的数据集设计相符，该数据集特意针对需要专业知识的高风险领域（例如，化学、生物学）。由于我们的评估人员在电子工程与计算机科学（EECS）领域拥有深厚的专业知识，但在这些外部领域缺乏具体的专业知识，因此在没有指导的情况下评估回复的技术可行性时，他们表现出困难和宽容倾向。提供评判模型的分析推理有效地弥合了这一领域知识鸿沟，使人工标注者的评估结果与 LLM 的评估结果高度一致。这些发现证实，在相关领域推理的支持下，评判模型与专家的判断高度吻合。

The “Knowledge Gap” in Jailbreak Research. A critical, yet often overlooked, factor in existing jailbreak literature is the reliance on the attack agent’s prior knowledge. Leading baselines, such as Multi-Agent Jailbreak, typically depend on the attacker possessing sufficient domain expertise to construct a successful query-decomposition plan a priori. This assumption, however, fails to capture the practical high-stakes scenario where an adversary lacks specific expertise and must extract it from a more capable target model. To investigate this, we revisit the comparison with the Multi-Agent Jailbreak baseline in Table 1. Crucially, both Multi-Agent Jailbreak and CKA-Agent utilize the same underlying model (Qwen3-32B-abliterated) as the attack agent. The key distinction lies in the information source: While Multi-Agent Jailbreak relies on the attacker’s pre-existing knowledge to statically decompose the objective, CKA-Agent dynamically leverages the target model’s responses to guide exploration. The substantial performance gap (15 percentage improvement on Claude-Haiku-4.5 from Multi-Agent Jailbreak to by CKA-Agent) strongly indicates that relying solely on attacker priors is brittle, whereas leveraging the target’s internal knowledge is crucial.
越狱研究中的“知识鸿沟”。 现有越狱文献中一个关键但常被忽视的因素是对攻击主体先验知识的依赖。诸如多智能体越狱（Multi-Agent Jailbreak）等主流基线方法通常依赖于攻击者拥有足够的领域专业知识，以便预先构建成功的查询分解计划。然而，这种假设无法反映实际的高风险场景，即攻击者缺乏特定领域的专业知识，必须从更强大的目标模型中提取信息。为了探究这一点，我们重新审视了表 1 中与多智能体越狱基线方法的比较。关键在于，多智能体越狱和 CKA-Agent 都使用相同的底层模型（Qwen3-32B-abliterated）作为攻击主体。二者的主要区别在于信息来源：多智能体越狱依赖于攻击者预先存在的知识来静态分解目标，而 CKA-Agent 则动态地利用目标模型的响应来指导探索。显著的性能差距（从多智能体越狱到 CKA-Agent 在 Claude-Haiku-4.5 上提高了 15%）强烈表明，仅仅依靠攻击者的先验知识是脆弱的，而利用目标的内部知识至关重要。

Quantifying the Oracle Effect (Table 2). To rigorously verify that CKA-Agent extracts new knowledge rather than merely recalling the attacker’s internal priors, we quantified the specific contribution of the target interaction. We conducted an ablation study comparing the attack agent’s standalone capability to satisfy harmful objectives (“Self Response”) against the full CKA-Agent system. As shown in Table 2, a pronounced divergence exists. While the attack agent can independently solve a subset of queries, a significant fraction of instances (e.g., 26 on Gemini-2.5-Pro, 27 on GPT-oss) are successfully resolved only when interacting with the target model (“CKA Only”). In contrast, cases where the attacker possesses knowledge that the combined system fails to utilize (“Self Only”) are negligible (2–3 instances). This confirms that the target model functions as an indispensable knowledge oracle, enabling CKA-Agent to bridge the expertise gap and solve complex objectives that lie strictly beyond its standalone capabilities.
量化预言机效应（表 2 ）。 为了严格验证 CKA-Agent 能够提取新知识而非仅仅回忆攻击者的内部先验知识，我们量化了目标交互的具体贡献。我们进行了一项消融实验，比较了攻击代理独立满足有害目标的能力（“自身响应”）与完整的 CKA-Agent 系统。如表 2 所示，两者存在显著差异。虽然攻击代理可以独立解决一部分查询，但相当一部分实例（例如，Gemini-2.5-Pro 上的 26 个实例，GPT-oss 上的 27 个实例） 只有在与目标模型交互时才能成功解决（“仅 CKA”）。相比之下，攻击者拥有组合系统未能利用的知识的情况（“仅自身”）可以忽略不计（2-3 个实例）。这证实了目标模型发挥着不可或缺的知识预言家的作用，使 CKA-Agent 能够弥合专业知识差距，并解决严格超出其独立能力范围的复杂目标。

We further posit that CKA-Agent serves as a critical diagnostic framework for studying a fundamental limitation in current alignment: the inability to infer malicious intent when it is semantically distributed across a sequence of innocuous turns. While prior decomposition studies often leverage cross-session attacks to evade history tracking mechanisms, such settings deliberately obscure the model’s inherent multi-turn reasoning capabilities by introducing memory loss as a confounding variable. To rigorously evaluate whether aligned models can detect malicious users when given maximal visibility, we propose the single-session CKA-Agent-Branch as a stress test for intent aggregation. In this setting, each sub-query is submitted alongside the entire conversation history of the current branch. This effectively simulates a context-aware defense where the model has “perfect memory.” Further, we introduce CKA-Agent-Primed, where we explicitly instruct the target model to be aware that a collection of benign sub-queries within the current branch may collectively encode a latent malicious intent. Table 3 validates the utility of this framework. Even with full history visibility in CKA-Agent-Branch, the attack maintains Full Success rates exceeding 92% on Gemini and Claude models. Remarkably, introducing explicit warnings (CKA-Agent-Primed) yields only a modest defense improvement, with success rates dropping by approximately 10% on these models. This limited reduction indicates that heightened awareness alone is insufficient. Furthermore, while GPT-oss exhibits stronger baseline resistance in the Branch setting, the additional explicit prompts provide limited marginal gains, leaving the model vulnerable in over 73% / 82% of cases. This consistently high failure rate across all evaluated models exposes a structural deficiency: current alignment processes fine-tune models to detect atomic harmful prompts, but fail to instill the capability to aggregate intent over extended dialogs. This observation echoes the previous studies [zhou2024speak, liu2024lost, laban2025llms]. Consequently, we argue that CKA-Agent-Branch and CKA-Agent-Primed provide robust testbeds for future research, distinguishing between simple pattern matching and genuine, long-horizon intent understanding.
我们进一步提出，CKA-Agent 可作为研究当前对齐机制根本局限性的关键诊断框架：即当恶意意图语义分散在一系列看似无害的对话轮次中时，无法推断其存在。虽然以往的分解研究通常利用跨会话攻击来规避历史跟踪机制，但这种设置通过引入记忆丢失这一混淆变量，刻意掩盖了模型固有的多轮推理能力。为了严格评估对齐模型在最大可见性下是否能够检测出恶意用户，我们提出了单会话 CKA-Agent-Branch 作为意图聚合的压力测试。在该设置中，每个子查询都与当前分支的完整对话历史一起提交。这有效地模拟了一种上下文感知防御机制，其中模型拥有“完美记忆”。此外，我们引入了 CKA-Agent-Primed ，其中我们明确指示目标模型意识到当前分支中的一组良性子查询可能共同编码了潜在的恶意意图。表 3 验证了该框架的有效性。即使在 CKA-Agent-Branch 中拥有完整的历史记录可见性，该攻击在 Gemini 和 Claude 模型上的完全成功率仍然超过 92%。值得注意的是，引入显式警告（ CKA-Agent-Primed ）仅带来有限的防御改进，在这些模型上的成功率下降了约 10%。这种有限的降低表明，仅提高安全意识是不够的。 此外，虽然 GPT-oss 在 Branch 场景下表现出更强的基线抵抗能力，但额外的显式提示带来的边际收益有限，导致模型在超过 73%/82% 的情况下仍然容易受到攻击。所有评估模型中持续存在的高失败率暴露出一个结构性缺陷：当前的对齐过程虽然能够微调模型以检测原子级的有害提示，但却无法赋予模型在扩展对话中聚合意图的能力。这一观察结果与之前的研究 [ zhou2024speak , liu2024lost , laban2025llms ] 相呼应。 因此，我们认为 CKA-Agent-Branch 和 CKA-Agent-Primed 为未来的研究提供了强大的测试平台，能够区分简单的模式匹配和真正的模式匹配。长期意图理解。