We introduce Siege, a multi-turn adversarial framework that models the gradual erosion of Large Language Model (LLM) safety through a tree search perspective. Unlike single-turn jailbreaks that rely on one meticulously engineered prompt, Siege expands the conversation at each turn in a breadth-first fashion, branching out multiple adversarial prompts that exploit partial compliance from previous responses. By tracking these incremental policy leaks and re-injecting them into subsequent queries, Siege reveals how minor concessions can accumulate into fully disallowed outputs. Evaluations on the JailbreakBench dataset show that Siege achieves a 100% success rate on GPT-3.5-turbo and 97% on GPT-4 in a single multi-turn run, using fewer queries than baselines such as Crescendo or GOAT. This tree search methodology offers an in-depth view of how model safeguards degrade over successive dialogue turns, underscoring the urgency of robust multi-turn testing procedures for language models.

本研究解决了现有大型语言模型安全性逐步削弱的问题，提出了一种名为“围攻”的多回合对抗框架。该方法通过树搜索的方式扩展对话，揭示了轻微让步如何在后续响应中积累成完全不可接受的输出，实验结果表明“围攻”在多回合的攻击实验中成功率达到100%。

围攻：基于树搜索的大型语言模型自主多回合越狱