Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs

2026-06-02 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Indirect Harm Optimization (IHO) is introduced as a novel black-box attack method designed to provide a standardized jailbreak evaluation for Large Language Models (LLMs), addressing a gap similar to AutoAttack for image classifiers. IHO operates as a masked diffusion language model attacker, trained through iterative preference optimization against a harmfulness judge, requiring only black-box access to the target LLM. This method is highly efficient, applicable to arbitrary defense pipelines, and demonstrates strong transferability to new behaviors and unseen target models without requiring fine-tuning. Notably, IHO significantly enhances attack success rates compared to existing state-of-the-art approaches, even when confronted with layered defenses such as a Circuit Breaker-trained model combined with an auxiliary detector, without needing defense-specific adaptations. The authors have made the code and models publicly available.

Key takeaway

For AI Security Engineers and red teamers evaluating LLM robustness, IHO provides a critical tool for more reliable jailbreak assessments. You should integrate IHO into your evaluation pipelines to accurately gauge model vulnerabilities, especially against layered defenses. This method offers a black-box, efficient, and transferable approach, enabling you to identify weaknesses that state-of-the-art attacks might miss and improve your defense strategies.

Key insights

Indirect Harm Optimization (IHO) offers a black-box, transferable, and efficient method for standardized LLM jailbreak evaluation.

Principles

• Flawed attacks inflate robustness estimates.
• Reliable LLM attacks require black-box access.
• Amortized policies transfer to unseen models.

Method

IHO trains a masked diffusion language model attacker via iterative preference optimization against a harmfulness judge. It requires only black-box access to the target LLM.

In practice

• Use IHO for standardized jailbreak evaluation.
• Apply IHO as an adaptive attack.
• Deploy IHO against layered LLM defenses.

Topics

• LLM Jailbreaking
• Adversarial Attacks
• Black-box Attacks
• Indirect Harm Optimization
• Model Robustness
• Red Teaming

Best for: Research Scientist, Director of AI/ML, AI Engineer, AI Scientist, AI Security Engineer, NLP Engineer

Related on AIssential

• Towards Understanding the Robustness of Sparse Autoencoders — Integrating Sparse Autoencoders into LLM residual streams significantly enhances robustness against jailbreak attacks.
• One Word at a Time: Incremental Completion Decomposition Breaks LLM Safety — Incremental, single-word prompts can bypass LLM safety by gradually shifting internal refusal and safety representations.
• Looking for backdoors in Jane Street LLMs — Cracking LLM backdoors requires white-box analysis of weight modifications and iterative prompting, especially for large models.
• Jailbreak Scaling Laws for Large Language Models: Polynomial-Exponential Crossover — Adversarial prompt injection transforms LLM jailbreaking success from polynomial to exponential scaling with inference-time samples.
• Needles at Scale: LLM-Assisted Target Selection for Windows Vulnerability Research — LLM-assisted target selection can efficiently narrow millions of functions to a manageable shortlist for Windows vulnerability research.
• Pushing the Frontier of Black-Box LVLM Attacks via Fine-Grained Detail Targeting — M-Attack-V2 improves black-box LVLM attacks by denoising gradients and refining local alignment for better transferability.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.