D-Judge: Disrupting Multi-Turn Jailbreaks using Semantics-Preserving Output Rewriting
For LLM safety, D-Judge addresses the vulnerability of multi-turn jailbreak attacks that exploit judge feedback, offering a novel defense that disrupts the refinement loop.
D-Judge reduces the success rate of state-of-the-art multi-turn jailbreaks on HarmBench by rewriting LLM responses to mislead the attacker's judge model, while preserving performance on benign benchmarks.
Multi-turn jailbreak attacks pose a growing threat to large language model (LLM) safety because they exploit feedback from auxiliary judge models to iteratively refine prompts toward harmful goals. Existing defenses largely detect or block unsafe content at individual turns or at the final response, leaving the judge-driven refinement loop intact and allowing attackers to extract informative feedback from intermediate interactions. We introduce D-Judge, a semantics-preserving output rewriting defense that intervenes directly in this loop by rewriting the victim LLM's responses before they are evaluated by the attacker's judge. By misaligning the judge's feedback signal without changing the meaning of the original response, D-Judge derails the attacker's prompt-refinement process, causing subsequent queries to be optimized against a distorted signal of attack progress. To improve D-Judge's ability to produce such rewrites, we construct a dataset of semantically equivalent response pairs that induce different judge-assigned harmfulness scores, and use it for supervised fine-tuning followed by direct preference optimization. Experiments on HarmBench show that D-Judge reduces the success rate of state-of-the-art multi-turn jailbreaks while preserving performance on benign benchmarks.