EvoDefense: Co-Evolving Black-Box Defense with Large Language Models
This work addresses the critical vulnerability of LLMs to black-box attacks, providing a more generalizable defense mechanism for LLM developers and users.
This paper introduces EvoDefense, a black-box defense paradigm for Large Language Models (LLMs) that co-evolves a guard LLM with an attack generator. EvoDefense significantly reduces the attack success rate (ASR) of AutoDAN-turbo on Gemini-3-flash from 29.4% to 8.4% and on LLaMA-3-8B-Instruct from 43.4% to 6.2%, demonstrating strong defense performance across various models and attacks.
Large Language Models (LLMs) remain highly vulnerable to diverse attacks, particularly in black-box settings where the internals of target models are inaccessible. Existing black-box defenses typically rely on pre-defined filtering heuristics, which often fail to generalize to unseen attack types and target model architectures. We introduce EvoDefense, an experience-guided co-evolving black-box defense paradigm. EvoDefense employs a guard LLM to detect malicious queries and an experience memory module to accumulate defense knowledge from previous interactions. At the core of EvoDefense is a continuous attack-defense evolution loop, where an attack generator and the guard model iteratively refine their attack strategies and defense policies through experience-guided optimization. This design enables EvoDefense to generalize across unseen attacks and target models without retraining. Experiments on HarmBench, AdvBench, and AlpacaEval show that EvoDefense achieves consistently strong defense performance across seven popular models and five representative LLM attacks, while preserving competitive general capabilities. On HarmBench, EvoDefense reduces the attack success rate (ASR) of AutoDAN-turbo on Gemini-3-flash and LLaMA-3-8B-Instruct from 29.4% and 43.4% to 8.4% and 6.2%, respectively.