← Back to Library

Active Honeypot Guardrail System: Probing and Confirming Multi-Turn LLM Jailbreaks

Authors: ChenYu Wu, Yi Wang, Yang Liao

Published: 2025-10-16

arXiv ID: 2510.15017v1

Added to Library: 2025-10-20 04:02 UTC

Red Teaming

📄 Abstract

Large language models (LLMs) are increasingly vulnerable to multi-turn jailbreak attacks, where adversaries iteratively elicit harmful behaviors that bypass single-turn safety filters. Existing defenses predominantly rely on passive rejection, which either fails against adaptive attackers or overly restricts benign users. We propose a honeypot-based proactive guardrail system that transforms risk avoidance into risk utilization. Our framework fine-tunes a bait model to generate ambiguous, non-actionable but semantically relevant responses, which serve as lures to probe user intent. Combined with the protected LLM's safe reply, the system inserts proactive bait questions that gradually expose malicious intent through multi-turn interactions. We further introduce the Honeypot Utility Score (HUS), measuring both the attractiveness and feasibility of bait responses, and use a Defense Efficacy Rate (DER) for balancing safety and usability. Initial experiment on MHJ Datasets with recent attack method across GPT-4o show that our system significantly disrupts jailbreak success while preserving benign user experience.

🔍 Key Points

  • Introduction of a honeypot-based proactive guardrail system for LLMs which transforms risk avoidance into risk exploitation.
  • Novel Honeypot Utility Score (HUS) metric to evaluate the effectiveness of bait responses in discerning malicious user intent while balancing safety and usability.
  • The system significantly outperforms existing passive rejection strategies, achieving a Defense Efficacy Rate (DER) of 98.05% on the MHJ Dataset compared to 19.96% for current defenses like ChatGPT-4o.
  • Utilization of a bait LLM that generates non-executable yet attractive decoy questions to elicit revealing user behaviors over multi-turn interactions.
  • Implementation of a response filter that ensures primary responses do not disclose executable harmful information while appearing contextually relevant to benign users.

💡 Why This Paper Matters

This paper presents significant advancements in LLM security by introducing an innovative honeypot guardrail system that effectively mitigates multi-turn jailbreak attacks. By converting potential vulnerabilities into proactive defenses, the proposed methods not only enhance security but also improve user experience for legitimate users. The establishment of new metrics like the Honeypot Utility Score propels forward our ability to measure and understand defense effectiveness, making this work a vital contribution to the field.

🎯 Why It's Interesting for AI Security Researchers

This paper is particularly relevant to AI security researchers as it addresses the growing concern of multi-turn jailbreak attacks targeting large language models. By proposing a proactive defense mechanism, it shifts the landscape of AI safety from reactive to proactive strategies. The methods developed can be applicable not only to LLMs but potentially to various types of generative models facing adversarial threats, thus broadening the impact of this research beyond just language processing.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF