@inproceedings{fu-etal-2025-jailbreak,
    title = "Jailbreak {LLM}s through Internal Stance Manipulation",
    author = "Fu, Shuangjie  and
      Su, Du  and
      Huang, Beining  and
      Sun, Fei  and
      Wang, Jingang  and
      Chen, Wei  and
      Shen, Huawei  and
      Cheng, Xueqi",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-emnlp/2025.emnlp-main.780/",
    pages = "15455--15470",
    ISBN = "979-8-89176-332-6",
    abstract = "To confront the ever-evolving safety risks of LLMs, automated jailbreak attacks have proven effective for proactively identifying security vulnerabilities at scale. Existing approaches, including GCG and AutoDAN, modify adversarial prompts to induce LLMs to generate responses that strictly follow a fixed affirmative template. However, we observed that the reliance on the rigid output template is ineffective for certain malicious requests, leading to suboptimal jailbreak performance. In this work, we aim to develop a method that is universally effective across all hostile requests. To achieve this, we explore LLMs' intrinsic safety mechanism: a refusal stance towards the adversarial prompt is formed in a confined region and ultimately leads to a rejective response. In light of this, we propose Stance Manipulation (SM), a novel automated jailbreak approach that generates jailbreak prompts to suppress the refusal stance and induce affirmative responses. Our experiments across four mainstream open-source LLMs demonstrate the superiority of SM{'}s performance. Under commenly used setting, SM achieves success rates over 77.1{\%} across all models on Advbench. Specifically, for Llama-2-7b-chat, SM outperforms the best baseline by 25.4{\%}. In further experiments with extended iterations in a speedup setup, SM achieves over 92.2{\%} attack success rate across all models. Our code is publicly available at https://github.com/Zed630/Stance-Manipulation."
}