@inproceedings{levi-etal-2025-jailbreak,
    title = "Jailbreak Attack Initializations as Extractors of Compliance Directions",
    author = "LeVi, Amit  and
      Himelstein, Rom  and
      Nemcovsky, Yaniv  and
      Mendelson, Avi  and
      Baskin, Chaim",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Findings of the Association for Computational Linguistics: EMNLP 2025",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/author-page-yu-wang-polytechnic/2025.findings-emnlp.354/",
    doi = "10.18653/v1/2025.findings-emnlp.354",
    pages = "6672--6705",
    ISBN = "979-8-89176-335-7",
    abstract = "Safety-aligned LLMs respond to prompts with either compliance or refusal, each corresponding to distinct directions in the model{'}s activation space. Recent studies have shown that initializing attacks via self-transfer from other prompts significantly enhances their performance. However, the underlying mechanisms of these initializations remain unclear, and attacks utilize arbitrary or hand-picked initializations. This work presents that each gradient-based jailbreak attack and subsequent initialization gradually converge to a single compliance direction that suppresses refusal, thereby enabling an efficient transition from refusal to compliance. Based on this insight, we propose CRI, an initialization framework that aims to project unseen prompts further along compliance directions. We demonstrate our approach on multiple attacks, models, and datasets, achieving an increased attack success rate (ASR) and reduced computational overhead, highlighting the fragility of safety-aligned LLMs."
}