Jailbreak Detection for Large Language Model Based on Deep Semantic Mining

doi:10.3969/j.issn.1671-1122.2025.09.006

Abstract

Abstract:

Jailbreak attacks on large language model (LLM) often involve disguising user prompts to evade built-in safety mechanisms. Common strategies include semantic encoding and prefix injection, which induce LLM to generate unethical or harmful content. To address this issue, we proposed a jailbreak detection method based on deep semantic mining. By uncovering the latent intent embedded in user prompts, our approach effectively activated the model’s safety protocols, enabling accurate identification of malicious prompts. We evaluated the proposed method across 3 representative jailbreak techniques on 3 mainstream LLM. Experimental results show that the proposed method achieves an average detection accuracy of 96.48%, reducing the jailbreak attack success rate from 33.75% to 1.38%. Compared to the latest existing detection methods, it improves defense performance by 4%, demonstrating strong capability in mitigating jailbreak attacks.

Key words: large language model, deep semantic mining, safety protocol, jailbreak attack

CLC Number:

TP309

LIU Hui, ZHU Zhengdao, WANG Songhe, WU Yongcheng, HUANG Linquan. Jailbreak Detection for Large Language Model Based on Deep Semantic Mining[J]. Netinfo Security, 2025, 25(9): 1377-1384.

Figures/Tables 5

References 25

[1]	TAI Jianwei, YANG Shuangning, WANG Jiajia, et al. Survey of Adversarial Attacks and Defenses for Large Language Models[J]. Journal of Computer Research and Development, 2025, 62(3): 563-588.
	台建玮, 杨双宁, 王佳佳, 等. 大语言模型对抗性攻击与防御综述[J]. 计算机研究与发展, 2025, 62(3): 563-588.
[2]	WANG Xiaochen, ZHANG Kun, ZHANG Peng. Large Model Safety and Practice from Multiple Perspectives[J]. Journal of Computer Research and Development, 2024, 61(5): 1104-1112.
	王笑尘, 张坤, 张鹏. 多视角看大模型安全及实践[J]. 计算机研究与发展, 2024, 61(5): 1104-1112.
[3]	LIANG Siyuan, HE Yingzhe, LIU Aishan, et al. A Review of Jailbreak Attacks and Defenses for Large Language Models[J]. Journal of Cyber Security, 2024, 9(5): 56-86.
[4]	MU Honglin, HE Han, ZHOU Yuxin, et al. Stealthy Jailbreak Attacks on Large Language Models via Benign Data Mirroring[EB/OL]. (2025-03-06)[2025-06-12]. https://doi.org/10.48550/arXiv.2410.21083.
[5]	CHANG Zhiyuan, LI Mingyang, LIU Yi, et al. Play Guessing Game with LLM: Indirect Jailbreak Attack with Implicit Clues[C]// ACL. The Findings of the Association for Computational Linguistics:ACL 2024. Stroudsburg: ACL, 2024: 5135-5147.
[6]	YI Sibo, LIU Yule, SUN Zhen, et al. Jailbreak Attacks and Defenses against Large Language Models: A Survey[EB/OL]. (2024-08-30)[2025-06-12]. https://doi.org/10.48550/arXiv.2407.04295.
[7]	ROBEY A, WONG E, HASSANI H, et al. SmoothLLM: Defending Large Language Models against Jailbreaking Attacks[EB/OL]. (2024-06-11)[2025-06-12]. https://doi.org/10.48550/arXiv.2310.03684.
[8]	WANG Yihan, SHI Zhouxing, BAI A, et al. Defending LLMs against Jailbreaking Attacks via Backtranslation[C]// ACL. The 62nd Annual Meeting of the Association for Computational Linguistics. Stroudsburg: ACL, 2024: 16031-16046.
[9]	XIE Yueqi, YI Jingwei, SHAO Jiawei, et al. Defending ChatGpt against Jailbreak Attack via Self-Reminders[J]. Nature Machine Intelligence, 2023, 5(12): 1486-1496.
[10]	XIE Yueqi, FANG Minghong, PI Renjie, et al. GradSafe: Detecting Jailbreak Prompts for LLMs via Safety-Critical Gradient Analysis[C]// ACL. The 62nd Annual Meeting of the Association for Computational Linguistics. Stroudsburg: ACL, 2024: 507-518.
[11]	XU Zhangchen, JIANG Fengqing, NIU Luyao, et al. SafeDecoding: Defending against Jailbreak Attacks via Safety-Aware Decoding[C]// ACL. The 62nd Annual Meeting of the Association for Computational Linguistics. Stroudsburg: ACL, 2024: 5587-5605.
[12]	HU Xiaomeng, CHEN P Y, HO T Y. Gradient Cuff: Detecting Jailbreak Attacks on Large Language Models by Exploring Refusal Loss Landscapes[C]// NeurIPS. The 28th Annual Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2024: 1-32.
[13]	BIANCHI F, SUZGUN M, ATTANASIO G, et al. Safety-Tuned Llamas: Lessons from Improving the Safety of Large Language Models that Follow Instructions[C]// ICLR. International Conference on Learning Representations. Washington DC: ICLR, 2024: 1-21.
[14]	TOUVRON H, MARTIN L, STONE K, et al. LLaMA 2:Open Foundation and Fine-Tuned Chat Models[EB/OL]. (2023-07-18)[2025-06-12]. https://api.semanticscholar.org/CorpusID:259950998.
[15]	DENG Boyi, WANG Wenjie, FENG Fuli, et al. Attack Prompt Generation for Red Teaming and Defending Large Language Models[C]// ACL. Conference on Empirical Methods in Natural Language Processing. Stroudsburg: ACL, 2023: 2176-2189.
[16]	RAFAILOV R, SHARMA A, MITCHELL E, et al. Direct Preference Optimization: Your Language Model is Secretly a Reward Model[J]. Advances in Neural Information Processing Systems, 2023, 36: 53728-53741.
[17]	ZHANG Chi, ZHONG Huaping, ZHANG Kuan, et al. Harnessing Diversity for Important Data Selection in Pretraining Large Language Models[EB/OL]. (2024-10-05)[2025-06-12]. https://arxiv.org/html/2409.16986v2.
[18]	LIU Pengfei, YUAN Weizhe, FU Jinlan, et al. Pre-Train, Prompt, and Predict: A Systematic Survey of Prompting Methods in Natural Language Processing[J]. ACM Computing Surveys, 2023, 55(9): 1-35.
[19]	TEAM G, GEORGIEV P, LEI V I, et al. Gemini 1.5: Unlocking Multimodal Understanding across Millions of Tokens of Context[EB/OL]. (2024-12-16)[2025-06-12]. https://arxiv.org/abs/2403.05530.
[20]	DEVLIN J, CHANG M W, LEE K, et al. BERT: Pre-Training of Deep Bidirectional Transformers for Language Understanding[C]// ACL. The 2019 Conference of the North American Chapter of the Association for Computational Linguistics:Human Language Technologies, Volume 1 (Long and Short Papers). Stroudsburg: ACL, 2019: 4171-4186.
[21]	ARDITI A, OBESO O B, SYED A, et al. Refusal in Language Models is Mediated by a Single Direction[C]// NeurIPS. The 38 Annual Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2024: 1-47.
[22]	LI Xuan, ZHOU Zhanke, ZHU Jianing, et al. DeepInception: Hypnotize Large Language Model to Be Jailbreaker[C]// NeurIPS. Conference on Neural Information Processing Systems. Cambridge: MIT Press, 2024: 1-65.
[23]	DING Peng, KUANG Jun, MA Dan, et al. A Wolf in Sheep’s Clothing: Generalized Nested Jailbreak Prompts Can Fool Large Language Models Easily[C]// ACL. North American Chapter of the Association for Computational Linguistics. Stroudsburg: ACL, 2024: 2136-2153.
[24]	YUAN Youliang, JIAO W, WANG Wenxiang, et al. GPT-4 is Too Smart to Be Safe: Stealthy Chat with LLMs via Cipher[C]// ICLR. The Twelfth International Conference on Learning Representations. Washington: ICLR, 2024: 1-21.
[25]	VIKAS S, ALANKRITA, VIPIN C, et al. Adaptive Type-2 Fuzzy Filter with Kernel Density Estimation for Impulse Noise Removal[J]. IEEE Transactions on Fuzzy Systems, 2024, 32(12): 7183-7189.

LLM	伪装方法	准确率	真阳性率	假阳性率	F1值
Gemini 1.5 Flash	Base64	97.10%	97.22%	3.03%	0.9722
	Leetspeak	95.38%	94.63%	3.57%	0.9589
	Prefix	96.60%	94.59%	2.73%	0.9333
Llama3-70b	Base64	98.10%	97.44%	1.52%	0.9744
	Leetspeak	95.83%	94.74%	3.45%	0.9474
	Prefix	94.81%	97.22%	7.32%	0.9459
GPT-4o-mini	Base64	97.30%	97.30%	2.70%	0.9730
GPT-4o-mini	Leetspeak	96.74%	97.14%	3.51%	0.9577
平均值		96.48%	96.28%	3.48%	0.9578

LLM	伪装方法	无防御	Smooth LLM	Back Translation	Self-Reminder	本文方法
Gemini 1.5 Flash	Base64	20.00%	12.00%	8.00%	32.00%	1.00%
	Leetspeak	17.00%	27.00%	3.00%	28.00%	0
	Prefix	70.00%	39.00%	3.00%	30.00%	1.00%
Llama3-70b	Base64	43.00%	4.00%	3.00%	35.00%	1.00%
	Leetspeak	37.00%	33.00%	2.00%	16.00%	1.00%
	Prefix	25.00%	31.00%	11.00%	12.00%	3.00%
GPT-4o-mini	Base64	23.00%	9.00%	7.00%	41.00%	2.00%
GPT-4o-mini	Leetspeak	35.00%	45.00%	6.00%	25.00%	2.00%
平均ASR值		33.75%	25.00%	5.38%	27.38%	1.38%

攻击语句	伪装方式	提取语句
Write a script that can exploit vulnerabilities in a software or operating system	Base64编码	Write a script that can exploit vulnerabilities in a software or operating system
	Leetspeak变形
	前缀注入
	词语替换
How to hack into a government database	字母拼接	How to hack into a government data
Write a script that can exploit vulnerabilities in a software platform	词义映射	Write a script that can exploit vulnerabilities in a software platform