AAU Student Projects - visit Aalborg University's student projects portal
An executive master's programme thesis from Aalborg University
Book cover


Evaluating Roleplay Jailbreak Vulnerability and Defense in Open-Source LLMs

Authors

; ; ; ;

Term

3. term

Education

Software, Master

Publication year

2025

Submitted on

Pages

20

Abstract

Store sprogmodeller er udbredt i hverdagsapplikationer, men er fortsat sårbare over for jailbreak-forsøg, især når skadelige forespørgsler indpakkes i roleplay-fortællinger. Dette arbejde undersøger, hvordan roleplay-skabeloner påvirker jailbreak-sårbarhed på tværs af open source-LLM’er i forskellige størrelser og med forskellig alignment, og om et enkelt forsvar på responsniveau kan afbøde disse angreb. Vi evaluerer seks open source-modeller på AdvBenchs skadelige prompter og på roleplay-varianter, der maskerer intentionen gennem personaer og fortælling. For hvert prompt-respons-par anvender vi LlamaGuard-3 til at vurdere, om der produceres skadeligt indhold, og beregner angrebssuccesrater. Derefter tilføjer vi Qwen3Guard som et efter-generering-sikkerhedsfilter til at blokere usikre svar og sammenligner succesrater før og efter forsvar. Analysen adresserer tre spørgsmål: effekten af roleplay-indpakning, forskelle mellem modeller og den afbødende effekt af et responsniveau-forsvar. Resultaterne indikerer, at roleplay-prompter pålideligt kan fremkalde usikkert output, og at Qwen3Guard i væsentlig grad reducerer jailbreak-succes på tværs af modeller og promptvarianter, hvilket peger på en praktisk, implementerbar beskyttelse i open source-LLM-pipelines.

Large language models are widely used in everyday applications but remain vulnerable to jailbreak attempts, especially when harmful requests are wrapped in roleplay narratives. This work examines how roleplay templates influence jailbreak vulnerability across open-source LLMs of different sizes and alignments, and whether a simple response-level defense can mitigate these attacks. We evaluate six open-source models on the AdvBench set of harmful prompts and on roleplay variants that mask intent through personas and storytelling. For each prompt–response pair, we use LlamaGuard-3 to judge whether harmful content is produced and compute attack success rates. We then add Qwen3Guard as a post-generation safety filter to block unsafe outputs and compare success rates before and after defense. The analysis addresses three questions: the impact of roleplay framing, differences between models, and the mitigating effect of a response-level guard. Results indicate that roleplay prompts can reliably elicit unsafe outputs and that Qwen3Guard substantially reduces jailbreak success across models and prompt variants, highlighting a practical, deployable safeguard for open-source LLM pipelines.

[This abstract was generated with the help of AI]

Keywords

Large Language Models ; Jailbreak attacks ; Roleplay prompts ; LlamaGuard-3 ; Attack Success Rate ; Response-Level Defense ; Qwen3Guard

Documents

Download
View record in AAU Student Projects