Mass-Scale Analysis of In-the-Wild Conversations Reveals Complexity Bounds on LLM Jailbreaking
摘要
As large language models become increasingly deployed, understanding the complexity and evolution of jailbreaking strategies is critical for AI safety. We present a mass-scale empirical analysis of jailbreak complexity across over 2 million real-world conversations from diverse populations. Using a range of complexity metrics, we found that jailbreak attempts did not exhibit significantly higher complexity than normal conversations, suggesting a bound on attack complexity by users in the wild. Temporal analysis revealed that, while user attack toxicity and complexity remained stable over time, assistant response toxicity has decreased, indicating improving safety mechanisms. The absence of power-law scaling in complexity distributions further points to a limit on complexity growth. Our findings challenge the prevailing narrative of an escalating arms race between attackers and defenders. In the wild, it appears that safety evolution is bounded by human ingenuity or technology transferability constraints, while defensive measures continue to advance. However, there are critical information hazards in academic jailbreak disclosure; sophisticated attacks that exceed current complexity baselines could disrupt the observed equilibrium and cause widespread harm before defensive adaptations can be made.