PsychoPass: Geometric Profiling of Multi-Turn Adversarial LLM Conversations
For LLM safety researchers, this work identifies a confound in geometric attack detection and shows a small but early geometric signal, though the practical gain over baseline guardrails is incremental.
Multi-turn jailbreak attacks on LLMs reveal that current guardrails fail because they analyze individual turns rather than conversation trajectories. PsychoPass extracts geometric features from conversation embeddings to predict attacks before harmful content appears, achieving near-perfect performance largely due to the number of turns, but a smaller geometric signal remains that is detectable early and robust across encoders.
Multi-turn jailbreak attacks on large language models (LLMs) reveal a mismatch in current guardrails: they operate on individual turns, while attacks unfold as trajectories across conversations. We propose a shift from content to dynamics, modeling conversations as paths in representation space and asking whether adversarial intent is encoded early in their geometry. We introduce PsychoPass, a framework that extracts geometric features from conversation trajectories in embedding space to predict a potential attack before harmful content is produced. These features achieve near-perfect performance in naïve classifiers, which is largely explained by the inclusion of number of turns as a feature. After removing this confound, a smaller but consistent geometric signal remains, with classification performance that does not depend meaningfully on encoder choice. Crucially, this signal appears early in the conversation: attack outcomes remain above chance from short prefixes alone, more reliably than baseline guardrails. A supporting theoretical analysis explains these findings via a decomposition of length and shape, a detection bound based on prefix length, and encoder invariance. Together, these results show that adversarial conversations leave an early, representation-robust geometric fingerprint suitable for online monitoring.