Title: D-Judge: Disrupting Multi-Turn Jailbreaks using Semantics-Preserving Output Rewriting

Abstract:

Large language models (LLMs) face an escalating security risk from multi-turn jailbreak attacks, which leverage feedback from auxiliary judge models to iteratively hone prompts for malicious outcomes. Current defensive measures primarily focus on identifying or blocking unsafe content at specific turns or in the final output. However, these approaches leave the judge-driven refinement cycle operational, permitting attackers to glean valuable feedback from intermediate exchanges.

We present D-Judge, a novel defense mechanism that employs semantics-preserving output rewriting to intervene directly within this feedback loop. By modifying the victim LLM’s responses prior to evaluation by the attacker’s judge, D-Judge disrupts the alignment of the feedback signal while maintaining the original meaning. This misalignment obstructs the attacker’s ability to refine prompts effectively, as subsequent queries are optimized based on a distorted assessment of attack progress.

To enhance the efficacy of these rewrites, we developed a dataset comprising semantically equivalent response pairs that yield varying harmfulness scores from judges. This dataset was utilized for supervised fine-tuning and subsequent direct preference optimization. Evaluations on HarmBench demonstrate that D-Judge significantly lowers the success rate of advanced multi-turn jailbreaks without compromising performance on standard benign benchmarks.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC