← Back to Library

TrailBlazer: History-Guided Reinforcement Learning for Black-Box LLM Jailbreaking

Authors: Sung-Hoon Yoon, Ruizhi Qian, Minda Zhao, Weiyue Li, Mengyu Wang

Published: 2026-02-06

arXiv ID: 2602.06440v1

Added to Library: 2026-02-09 03:01 UTC

Red Teaming

📄 Abstract

Large Language Models (LLMs) have become integral to many domains, making their safety a critical priority. Prior jailbreaking research has explored diverse approaches, including prompt optimization, automated red teaming, obfuscation, and reinforcement learning (RL) based methods. However, most existing techniques fail to effectively leverage vulnerabilities revealed in earlier interaction turns, resulting in inefficient and unstable attacks. Since jailbreaking involves sequential interactions in which each response influences future actions, reinforcement learning provides a natural framework for this problem. Motivated by this, we propose a history-aware RL-based jailbreak framework that analyzes and reweights vulnerability signals from prior steps to guide future decisions. We show that incorporating historical information alone improves jailbreak success rates. Building on this insight, we introduce an attention-based reweighting mechanism that highlights critical vulnerabilities within the interaction history, enabling more efficient exploration with fewer queries. Extensive experiments on AdvBench and HarmBench demonstrate that our method achieves state-of-the-art jailbreak performance while significantly improving query efficiency. These results underscore the importance of historical vulnerability signals in reinforcement learning-driven jailbreak strategies and offer a principled pathway for advancing adversarial research on LLM safeguards.

🔍 Key Points

  • Introduction of TrailBlazer, a history-guided reinforcement learning framework that incorporates interaction history to improve jailbreak success rates for large language models (LLMs).
  • Development of two key components: History-augmented Reinforcement Learning (HRL) for capturing cumulative attack dynamics and Attention-based HRL (AHRL) for adaptively reweighting historical data to highlight critical vulnerabilities.
  • Extensive experimentation on standard benchmarks (AdvBench and HarmBench) showing TrailBlazer achieves state-of-the-art performance in jailbreak success rates and query efficiency compared to existing techniques.
  • Demonstration of transferability where models trained on one LLM can effectively attack other LLMs, indicating robustness and general applicability of the approach.
  • Ablation studies that validate the effectiveness of history incorporation and attention-based weighting mechanisms in improving performance.

💡 Why This Paper Matters

This paper introduces a novel approach to adversarial attacks on LLMs, emphasizing the importance of leveraging historical information for more efficient and effective jailbreaks. By providing significant performance gains through innovative reinforcement learning strategies, it contributes to the fields of AI security and safety, illustrating a clearer path for future research and development of robust defense mechanisms against such attacks.

🎯 Why It's Interesting for AI Security Researchers

The methods proposed in this paper are of great interest to AI security researchers as they reveal vulnerabilities in current LLMs and provide a framework for evaluating and enhancing the robustness of these systems against adversarial attacks. Furthermore, by showcasing a new approach to jailbreaking that utilizes historical interaction data, this work opens avenues for improving safety protocols and defenses in AI models, which is crucial in the context of increasing reliance on AI technologies in sensitive applications.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF