← Back to Library

Pattern Enhanced Multi-Turn Jailbreaking: Exploiting Structural Vulnerabilities in Large Language Models

Authors: Ragib Amin Nihal, Rui Wen, Kazuhiro Nakadai, Jun Sakuma

Published: 2025-10-09

arXiv ID: 2510.08859v1

Added to Library: 2025-10-13 12:01 UTC

Red Teaming

📄 Abstract

Large language models (LLMs) remain vulnerable to multi-turn jailbreaking attacks that exploit conversational context to bypass safety constraints gradually. These attacks target different harm categories (like malware generation, harassment, or fraud) through distinct conversational approaches (educational discussions, personal experiences, hypothetical scenarios). Existing multi-turn jailbreaking methods often rely on heuristic or ad hoc exploration strategies, providing limited insight into underlying model weaknesses. The relationship between conversation patterns and model vulnerabilities across harm categories remains poorly understood. We propose Pattern Enhanced Chain of Attack (PE-CoA), a framework of five conversation patterns to construct effective multi-turn jailbreaks through natural dialogue. Evaluating PE-CoA on twelve LLMs spanning ten harm categories, we achieve state-of-the-art performance, uncovering pattern-specific vulnerabilities and LLM behavioral characteristics: models exhibit distinct weakness profiles where robustness to one conversational pattern does not generalize to others, and model families share similar failure modes. These findings highlight limitations of safety training and indicate the need for pattern-aware defenses. Code available on: https://github.com/Ragib-Amin-Nihal/PE-CoA

🔍 Key Points

  • Proposed a novel framework called Pattern Enhanced Chain of Attack (PE-CoA) to exploit structural vulnerabilities in Large Language Models (LLMs) through specific conversational patterns.
  • Introduced five patterns for constructing multi-turn jailbreaking attacks, demonstrating how different models exhibit distinct vulnerability profiles based on these patterns.
  • Conducted extensive empirical evaluations across twelve LLMs and ten harm categories, achieving state-of-the-art performance in identifying vulnerabilities and demonstrating that robustness does not generalize across conversational patterns.
  • Found that targeted finetuning against specific conversation patterns can significantly reduce vulnerability to those patterns but does not generalize broadly to others, revealing the need for tailored defense strategies.
  • Analyzed the interactions between conversation patterns and harm categories, providing insights into how model response behavior varies, suggesting combinatorial vulnerabilities that require complex defensive approaches.

💡 Why This Paper Matters

This paper contributes significantly to understanding the structural weaknesses of LLMs, emphasizing the critical role of conversation patterns in multi-turn interactions. By introducing PE-CoA, it not only sets a new benchmark for effective jailbreaking methods but also underscores the need for robust defenses that are specifically designed to address identified vulnerabilities. These contributions are vital for improving the safety and reliability of LLM applications across various domains.

🎯 Why It's Interesting for AI Security Researchers

This paper is crucial for AI security researchers as it opens new avenues for exploring vulnerabilities in LLMs, particularly in the context of adversarial attacks. By presenting a systematic approach to jailbreaking that leverages conversational dynamics, it equips researchers with insights and methodologies to better understand, anticipate, and mitigate the risks associated with these advanced models. The findings also highlight the limitations of current safety systems, calling for innovative defense strategies that can effectively combat the emerging threats posed by sophisticated multi-turn dialogue manipulation.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF