Jailbreaking LLMs via Game-Theory Scenarios (arxiv.org)

Researchers introduce the Game-Theory Attack (GTA), a scalable black-box jailbreak framework that systematically coerces safety-aligned large language models into producing harmful outputs. Unlike prior heuristic or narrow-search jailbreaks, GTA frames the attacker–model interaction as a finite-horizon, early-stoppable sequential stochastic game and models the LLM’s randomized outputs with a quantal response reparameterization. The authors propose a behavioral conjecture called “template-over-safety flip”: when the model is placed inside game-theoretic templates (e.g., a disclosure variant of the Prisoner’s Dilemma), its effective objective shifts from a fixed safety preference to maximizing scenario-specific payoffs, weakening safety constraints in that context. An adaptive Attacker Agent escalates pressure within these scenarios to raise the attack success rate (ASR), achieving over 95% ASR on models like Deepseek-R1 while remaining efficient. Key technical takeaways: GTA leverages classical game templates and stochastic decision modeling to create transferable, scalable jailbreaks that generalize across protocols, languages, decoding strategies, and attacker model variants. One-shot LLM-generated scenario backgrounds, scenario scaling studies, and pairing with a Harmful-Words Detection Agent (word-level insertions to evade detectors) further demonstrate robustness and real-world applicability—successfully compromising deployed HuggingFace LLMs in longitudinal tests. The work highlights a new class of alignment vulnerabilities: contextual objective reshaping via scenario design, underscoring urgent needs for defenses that reason about higher-level interaction dynamics rather than only prompt filtering.