PandaGuard: Systematic Evaluation of LLM Safety against Jailbreaking Attacks
This work addresses the need for systematic and reproducible safety evaluations for LLMs, which is crucial for developers and researchers to mitigate vulnerabilities, though it is incremental as it builds on existing attack and defense methods.
The authors tackled the problem of fragmented and non-reproducible evaluations of LLM safety against jailbreaking attacks by introducing PandaGuard, a unified framework, and PandaBench, a benchmark that evaluated interactions across 49 LLMs, requiring over 3 billion tokens, revealing that no single defense is optimal and judge disagreement affects safety assessments.
Large language models (LLMs) have achieved remarkable capabilities but remain vulnerable to adversarial prompts known as jailbreaks, which can bypass safety alignment and elicit harmful outputs. Despite growing efforts in LLM safety research, existing evaluations are often fragmented, focused on isolated attack or defense techniques, and lack systematic, reproducible analysis. In this work, we introduce PandaGuard, a unified and modular framework that models LLM jailbreak safety as a multi-agent system comprising attackers, defenders, and judges. Our framework implements 19 attack methods and 12 defense mechanisms, along with multiple judgment strategies, all within a flexible plugin architecture supporting diverse LLM interfaces, multiple interaction modes, and configuration-driven experimentation that enhances reproducibility and practical deployment. Built on this framework, we develop PandaBench, a comprehensive benchmark that evaluates the interactions between these attack/defense methods across 49 LLMs and various judgment approaches, requiring over 3 billion tokens to execute. Our extensive evaluation reveals key insights into model vulnerabilities, defense cost-performance trade-offs, and judge consistency. We find that no single defense is optimal across all dimensions and that judge disagreement introduces nontrivial variance in safety assessments. We release the code, configurations, and evaluation results to support transparent and reproducible research in LLM safety.