As large language models become increasingly deployed, understanding the complexity and evolution of jailbreaking strategies is critical for AI safety. We present a mass-scale empirical analysis of jailbreak complexity across over 2 million real-world conversations from diverse populations. Using a range of complexity metrics, we found that jailbreak attempts did not exhibit significantly higher complexity than normal conversations, suggesting a bound on attack complexity by users in the wild. Temporal analysis revealed that, while user attack toxicity and complexity remained stable over time, assistant response toxicity has decreased, indicating improving safety mechanisms. The absence of power-law scaling in complexity distributions further points to a limit on complexity growth. Our findings challenge the prevailing narrative of an escalating arms race between attackers and defenders. In the wild, it appears that safety evolution is bounded by human ingenuity or technology transferability constraints, while defensive measures continue to advance. However, there are critical information hazards in academic jailbreak disclosure; sophisticated attacks that exceed current complexity baselines could disrupt the observed equilibrium and cause widespread harm before defensive adaptations can be made.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Mass-Scale Analysis of In-the-Wild Conversations Reveals Complexity Bounds on LLM Jailbreaking

  • Aldan Creo,
  • Raul Castro Fernandez,
  • Manuel Cebrian

摘要

As large language models become increasingly deployed, understanding the complexity and evolution of jailbreaking strategies is critical for AI safety. We present a mass-scale empirical analysis of jailbreak complexity across over 2 million real-world conversations from diverse populations. Using a range of complexity metrics, we found that jailbreak attempts did not exhibit significantly higher complexity than normal conversations, suggesting a bound on attack complexity by users in the wild. Temporal analysis revealed that, while user attack toxicity and complexity remained stable over time, assistant response toxicity has decreased, indicating improving safety mechanisms. The absence of power-law scaling in complexity distributions further points to a limit on complexity growth. Our findings challenge the prevailing narrative of an escalating arms race between attackers and defenders. In the wild, it appears that safety evolution is bounded by human ingenuity or technology transferability constraints, while defensive measures continue to advance. However, there are critical information hazards in academic jailbreak disclosure; sophisticated attacks that exceed current complexity baselines could disrupt the observed equilibrium and cause widespread harm before defensive adaptations can be made.