← Back to Library

TAO-Attack: Toward Advanced Optimization-Based Jailbreak Attacks for Large Language Models

Authors: Zhi Xu, Jiaqi Li, Xiaotong Zhang, Hong Yu, Han Liu

Published: 2026-03-03

arXiv ID: 2603.03081v1

Added to Library: 2026-03-04 03:01 UTC

Red Teaming

📄 Abstract

Large language models (LLMs) have achieved remarkable success across diverse applications but remain vulnerable to jailbreak attacks, where attackers craft prompts that bypass safety alignment and elicit unsafe responses. Among existing approaches, optimization-based attacks have shown strong effectiveness, yet current methods often suffer from frequent refusals, pseudo-harmful outputs, and inefficient token-level updates. In this work, we propose TAO-Attack, a new optimization-based jailbreak method. TAO-Attack employs a two-stage loss function: the first stage suppresses refusals to ensure the model continues harmful prefixes, while the second stage penalizes pseudo-harmful outputs and encourages the model toward more harmful completions. In addition, we design a direction-priority token optimization (DPTO) strategy that improves efficiency by aligning candidates with the gradient direction before considering update magnitude. Extensive experiments on multiple LLMs demonstrate that TAO-Attack consistently outperforms state-of-the-art methods, achieving higher attack success rates and even reaching 100\% in certain scenarios.

🔍 Key Points

  • Introduction of TAO-Attack, an advanced optimization-based jailbreak method for Large Language Models (LLMs) that addresses key limitations of current approaches.
  • Development of a two-stage loss function: the first stage suppresses refusals while the second penalizes pseudo-harmful outputs, enhancing the generation of genuinely harmful completions.
  • Implementation of Direction-Priority Token Optimization (DPTO), improving the efficiency of token updates by focusing on alignment with the gradient direction before update magnitude.
  • Extensive experimental results demonstrating that TAO-Attack consistently outperforms state-of-the-art jailbreaking methods, achieving up to 100% attack success rates in various scenarios.
  • The study reveals persistent vulnerabilities in LLM safety alignments, emphasizing the urgent need for stronger defenses against optimization-based jailbreak strategies.

💡 Why This Paper Matters

The paper presents TAO-Attack as a significant advancement in the field of optimization-based jailbreak attacks on LLMs. By addressing limitations seen in previous methods—such as handling refusals and generating pseudo-harmful outputs—TAO-Attack showcases a practical framework that can effectively exploit model vulnerabilities. The impressive experimental results, including the high attack success rates across different models, underscore its relevance in enhancing security assessments of LLMs and prompting the development of more robust defense mechanisms.

🎯 Why It's Interesting for AI Security Researchers

This paper is of critical interest to AI security researchers as it exposes significant vulnerabilities in Large Language Models' safety alignments and demonstrates a practical attack methodology. The findings underscore the importance of understanding adversarial risks associated with LLMs and highlight the need for developing defenses that can withstand advanced optimization-based attacks. Additionally, the methodologies proposed (two-stage loss function and DPTO) provide new approaches that could inspire further research in improving LLM robustness.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF