THRD: A Training-Free Multi-Turn Defense Framework for Jailbreak Attacks on Large Language Models
Title: THRD: A Training-Free Multi-Turn Defense Framework for Jailbreak Attacks on Large Language Models
Abstract
Large Language Models (LLMs) face an escalating threat from multi-turn jailbreak attacks, which leverage conversational dynamics like progressive escalation and coordination across turns. Current defensive strategies are limited: they either depend on expensive retraining processes that often compromise model utility or analyze each turn in isolation. The latter approach fails to account for how risk accumulates over the course of an interaction. We demonstrate that safety performance in multi-turn scenarios is inherently trajectory-dependent, as the dialogue history constantly reshapes the model’s conditioning context, rendering isolated turn evaluations inadequate.
To address this, we introduce THRD, the inaugural training-free framework designed to explicitly model temporal risk accumulation for multi-turn defense. THRD comprises four distinct components: a Turn-level Risk Assessor (TRA) to estimate instantaneous risk, a Historical Context Analyzer (HCA) to detect intent escalation across turns, a Response Evaluator (RE) to identify facilitative outputs, and a Decision Module. This module synthesizes these signals via a time-evolving scoring mechanism that incorporates attenuation-based modulation and trend-aware adjustments.
Our experiments, conducted against state-of-the-art multi-turn attacks—including tree-search-based and multi-agent collaborative methods—on two target models, demonstrate that THRD lowers the Attack Success Rate (ASR) to between 0.2% and 4.0%. Crucially, it maintains model utility, limiting degradation to within 1.5% on MMLU and GSM8K benchmarks. Ablation studies verify the non-redundant nature of each module and confirm stable generalization across architectures. Furthermore, an analysis of initial rejection points indicates that more than 70% of multi-turn attacks are not detectable until Turn 2 or later, underscoring the critical need for explicit temporal aggregation in defense mechanisms.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
