Bandit-based jailbreak selection achieves 97% ASR on 15 open-weight LLMs with minimal queries
Auto-published from arXiv:2606.26936 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.82, flags: [no-prompt-excerpt, possible-zero-day])
Category
jailbreak
Model
Llama-3.1-8B, Llama-3.1-70B, Gemma-3 (1B/4B/12B/27B), Qwen2.5-72B-Instruct, DeepSeek-R1-distill variants, gpt-oss-20, gpt-oss-120b (15 models total)
Surface
API (chat completion, open-weight models via local inference)
Setup
An attacker uses a multi-armed bandit algorithm (EXP3, Thompson Sampling, or LinUCB) over a pool of 70 known jailbreaks to efficiently learn which jailbreak works best for a target model. In the exploration phase, the bandit samples jailbreaks and observes binary reward (success/failure) on a small training set of malicious queries from FrankensteinBench (11,279 queries across Finance, Healthcare, Cybersecurity, Legal, Public-harm domains). In the exploitation phase, the learned distribution is applied to new queries. With k=5 re-sampling passes per query, the attack requires no model internals — only black-box query access. No literal prompt excerpt is provided in the paper; the jailbreak pool includes named templates such as 'libertas', 'lo2', 'aim', 'octal-encode', and 'refusal suppression'.
Observed behavior
Bandit algorithms achieve up to 97% average attack success rate (ASR) across 15 state-of-the-art open-weight LLMs, producing actionable responses to harmful queries. Thompson Sampling achieved 49% ASR on gpt-oss-120b, compared to only 6% for the best single static jailbreak ('libertas'), demonstrating that adaptive selection drastically outperforms any fixed jailbreak. Using k=5 passes per query boosts ASR by up to 36% for some algorithms over k=1.
Expected behavior
Models should refuse or deflect harmful requests across the full FrankensteinBench query set regardless of which jailbreak template wraps the query.
Reproducibility
medium
Threat model
A non-expert malicious actor ('average Jane') with only black-box API access can systematically identify the optimal jailbreak for a target model using a small calibration budget, then apply it at scale to extract actionable harmful content (e.g., drug synthesis routes, cyberattack instructions) across consumer and enterprise deployments of open-weight LLMs.
Novelty
First demonstration that multi-armed bandit online learning over a jailbreak pool achieves near-ceiling ASR with sublinear query cost, making expert-level jailbreak selection fully automatable for non-experts.
Source
- arXiv: 2606.26936
- PDF: https://arxiv.org/pdf/2606.26936
- Categories: cs.CR, cs.CL, cs.LG
- Authors: Prarabdh Shukla, Ritik, Suhas Rao, Arpit Agarwal, Arjun Bhagoji
Triage notes (auto)
- paperType:
red-team-vuln - estimatedCaseCount: 3
- triage reason: Novel bandit-based jailbreak attack demonstrating 97% success across 15 SoTA open-weight LLMs with concrete, reproducible setup (FrankensteinBench, 11,279 queries). Fresh submission with no disclosed vendor notification.
0 comments
─────────────────────────────────────────────────────────────────────
// no comments yet