Active Honeypot Guardrail System: Probing and Confirming Multi-Turn LLM Jailbreaks
This addresses security vulnerabilities in LLMs against adaptive jailbreak attacks, offering a proactive defense mechanism.
The paper tackles the problem of multi-turn jailbreak attacks on large language models by proposing a honeypot-based proactive guardrail system that uses bait responses to probe user intent, significantly disrupting jailbreak success while preserving benign user experience.
Large language models (LLMs) are increasingly vulnerable to multi-turn jailbreak attacks, where adversaries iteratively elicit harmful behaviors that bypass single-turn safety filters. Existing defenses predominantly rely on passive rejection, which either fails against adaptive attackers or overly restricts benign users. We propose a honeypot-based proactive guardrail system that transforms risk avoidance into risk utilization. Our framework fine-tunes a bait model to generate ambiguous, non-actionable but semantically relevant responses, which serve as lures to probe user intent. Combined with the protected LLM's safe reply, the system inserts proactive bait questions that gradually expose malicious intent through multi-turn interactions. We further introduce the Honeypot Utility Score (HUS), measuring both the attractiveness and feasibility of bait responses, and use a Defense Efficacy Rate (DER) for balancing safety and usability. Initial experiment on MHJ Datasets with recent attack method across GPT-4o show that our system significantly disrupts jailbreak success while preserving benign user experience.