Workflow
LLM越狱攻击的威胁被系统性高估? 基于分解式评分的「越狱评估新范式」出炉
机器之心·2025-10-12 04:05

Core Viewpoint - The article introduces JADES, a new framework for evaluating jailbreak attacks, developed by researchers from CISPA, Flexera, and Xi'an Jiaotong University, which aims to provide a more accurate assessment by using a decompositional scoring mechanism instead of traditional holistic evaluation methods [4][5][6]. Current Limitations of Jailbreak Assessment - Accurate evaluation of jailbreak attacks is challenging due to the open-ended nature of harmful questions, making it difficult to establish a unified success standard [10]. - Existing automated evaluation methods suffer from two core flaws: misaligned proxy indicators leading to false positives, and holistic evaluation strategies that obscure the details of responses [11][12]. JADES Framework - JADES automates the analytic scoring logic used by human experts, ensuring granularity and reliability in assessments through a multi-agent collaborative process [12]. - The framework consists of four collaborative nodes: 1. Question Decomposition Node: Breaks down harmful questions into weighted sub-questions [12]. 2. Response Preprocessing Node: Cleans the original jailbreak response to reduce complexity [16]. 3. Sub-Question Pairing Node: Extracts relevant sentences from the cleaned response for each sub-question [17]. 4. Evaluation Node: Scores each sub-answer using a five-point Likert scale and aggregates the scores to determine overall success [18]. Performance Evaluation - Researchers created a benchmark dataset, JailbreakQR, consisting of 400 pairs of harmful questions and jailbreak responses, to validate JADES [20]. - JADES revealed that previous assessment methods systematically overestimated the success rates of jailbreak attacks, with the success rate for LAA attacks on GPT-3.5-Turbo dropping from 93% to 69% under JADES [24]. - In binary classification, JADES achieved 98.5% consistency with human evaluators, while in a more challenging ternary classification, it maintained an accuracy of 86.3% [26]. - The introduction of a new metric, Success Rate/Attack Success Rate (SR/ASR), indicated that the proportion of fully successful cases was less than 0.25, suggesting that many attacks labeled as successful were actually only partially successful [27]. Conclusion - The JADES framework establishes a transparent, reliable, and auditable standard for jailbreak assessment, revealing systemic biases in current evaluation methods and providing a more effective tool for the field [28].