One Jailbreak, Many Tongues: Learning Language-Insensitive Intention Representations for Multilingual Jailbreak Detection
One Jailbreak, Many Tongues: Learning Language-Insensitive Intention Representations for Multilingual Jailbreak Detection
一种越狱,多种语言:学习用于多语言越狱检测的语言无关意图表示
Abstract: Large language models (LLMs) are increasingly deployed in applications for global multilingual users, yet safety training remains concentrated in dominant languages and has not progressed in parallel with multilingual capability, creating exploitable gaps for jailbreak attacks. Current jailbreak defenses are largely developed and evaluated in dominant languages, and their effectiveness is limited by the scarcity of aligned multilingual supervision and representations dispersion caused by language variation.
摘要: 大型语言模型(LLMs)正越来越多地应用于全球多语言用户的场景中,然而安全训练仍集中在主流语言上,并未与多语言能力同步发展,从而为越狱攻击留下了可利用的漏洞。目前的越狱防御措施大多是在主流语言中开发和评估的,其有效性受到对齐的多语言监督数据匮乏以及语言差异导致的表示分散问题的限制。
To address this issue, we propose MLJailDe, a multilingual jailbreak detection framework designed to improve both multilingual robustness and cross-lingual generalization. MLJailDe first introduces a multilingual back-translation data augmentation algorithm to construct a semantically consistent and functionally effective dataset spanning 11 languages, consisting of 2,232 benign and 1,239 jailbreak samples.
为了解决这一问题,我们提出了 MLJailDe,这是一个旨在提高多语言鲁棒性和跨语言泛化能力的多语言越狱检测框架。MLJailDe 首先引入了一种多语言回译数据增强算法,构建了一个涵盖 11 种语言、语义一致且功能有效的数据集,其中包括 2,232 个良性样本和 1,239 个越狱样本。
On this basis, MLJailDe employs relative-distance constraints to reduce cross-lingual representation dispersion and encourage jailbreak prompts with similar intent to form consistent clusters across languages, while an imbalance-aware classification objective is further used to alleviate class imbalance and learn more reliable multilingual decision boundaries.
在此基础上,MLJailDe 采用相对距离约束来减少跨语言表示的分散,并促使具有相似意图的越狱提示在不同语言间形成一致的聚类;同时,进一步使用感知不平衡的分类目标来缓解类别不平衡问题,并学习更可靠的多语言决策边界。
Experimental results show that MLJailDe outperforms state-of-the-art baselines across multiple languages, achieving an F1 score of 98.5%, and obtains an average F1 score of 97.1% on unseen languages, demonstrating strong effectiveness and cross-lingual generalization.
实验结果表明,MLJailDe 在多种语言上的表现均优于当前最先进的基准模型,F1 分数达到 98.5%,在未见过的语言上平均 F1 分数达到 97.1%,证明了其强大的有效性和跨语言泛化能力。