As large language models (LLMs) are increasingly deployed, ensuring their safe use is paramount. Jailbreaking, adversarial prompts that bypass model alignment to trigger harmful outputs, present significant risks, with existing studies reporting high success rates in evading common LLMs. However, previous evaluations have focused solely on the models, neglecting the full deployment pipeline, which typically incorporates additional safety mechanisms like content moderation filters. To address this gap, we present the first systematic evaluation of jailbreak attacks targeting LLM safety alignment, assessing their success across the full inference pipeline, including both input and output filtering stages. Our findings yield two key insights: first, nearly all evaluated jailbreak techniques can be detected by at least one safety filter, suggesting that prior assessments may have overestimated the practical success of these attacks; second, while safety filters are effective in detection, there remains room to better balance recall and precision to further optimize protection and user experience. We highlight critical gaps and call for further refinement of detection accuracy and usability in LLM safety systems.

翻译：随着大语言模型（LLMs）的部署日益广泛，确保其安全使用至关重要。越狱攻击——即通过对抗性提示绕过模型对齐机制以触发有害输出的行为——带来了显著风险，现有研究报告称其在规避常见大语言模型方面具有较高的成功率。然而，以往的评估仅聚焦于模型本身，忽略了完整的部署流程，该流程通常包含额外的安全机制，如内容审核过滤器。为填补这一空白，我们首次对针对大语言模型安全对齐的越狱攻击进行了系统性评估，考察其在完整推理流程（包括输入和输出过滤阶段）中的成功率。我们的研究得出两个关键发现：首先，几乎所有被评估的越狱技术均可被至少一种安全过滤器检测到，这表明先前的评估可能高估了这些攻击的实际成功率；其次，尽管安全过滤器在检测方面有效，但在召回率与精确度的平衡方面仍有改进空间，以进一步优化保护效果和用户体验。我们指出了当前存在的关键不足，并呼吁在大语言模型安全系统中进一步提升检测准确性与可用性。