inject_distractor operator achieves 0.00 mean reward on instruction-following seeds vs. 0.80–1.00 on reasoning/tool-use
Auto-published from arXiv:2606.24589 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.82, flags: [no-prompt-excerpt])
Category
other
Model
Llama 3.1 8B Instant (Groq)
Surface
API
Setup
AdversaBench applies the inject_distractor operator — which adds a plausible but misleading constraint to the seed prompt — across three categories: reasoning (15 seeds), instruction-following (15 seeds), and tool-use (15 seeds). The operator is selected by an epsilon-greedy bandit (ε=0.2) during multi-iteration attack search. The paper does not publish verbatim distractor-injected prompts; the mutation code is available at https://github.com/khanak0509/AdversaBench.
Observed behavior
inject_distractor achieved a mean reward of 0.00 on instruction-following seeds (i.e., it never produced a confirmed failure in that category) but achieved 0.80–1.00 mean reward on reasoning and tool-use seeds. Instruction-following seeds also required 2.4 average attacker iterations to break versus 1.1 for the other categories, and showed 33% judge panel disagreement rate versus 0% for reasoning.
Expected behavior
An operator that reliably introduces confusion should produce comparable failure rates across task categories if model robustness is uniform. Category-specific immunity to a specific operator suggests that instruction-following tasks have a structurally different failure surface that distractor injection does not exploit.
Reproducibility
medium
Threat model
Red-team practitioners and safety evaluators who apply a fixed set of adversarial mutation operators uniformly across task categories risk systematically under-testing instruction-following robustness, producing a false sense of coverage. Automated red-teaming pipelines with operator selection tuned on reasoning benchmarks will generate biased difficulty estimates when applied to deployment contexts dominated by instruction-following tasks.
Novelty
Quantifies a sharp, category-conditioned effectiveness cliff for a common red-teaming operator class, showing binary failure-rate aggregates mask a 2.4x iteration-cost disparity — a concrete calibration failure for automated safety evaluations that pool across task types.
Source
- arXiv: 2606.24589
- PDF: https://arxiv.org/pdf/2606.24589
- Categories: cs.AI, cs.CL
- Authors: Khanak Khandelwal (Indian Institute of Technology Jodhpur)
Triage notes (auto)
- paperType:
red-team-vuln - estimatedCaseCount: 3
- triage reason: Automated red-teaming pipeline generating 45 confirmed model-level failures across reasoning, instruction-following, and tool-use via structured mutation operators; reproducible methodology with open code, dataset, and observable behaviors.
0 comments
─────────────────────────────────────────────────────────────────────
// no comments yet