Large Language Models(LLMs) are widely deployed, yet are vulnerable to jailbreak prompts that elicit policy-violating outputs. Although prior studies have uncovered these risks, they typically treat all tokens as equally important during prompt mutation, overlooking the varying contributions of individual tokens to triggering model refusals. Consequently, these attacks introduce substantial redundant searching under query-constrained scenarios, reducing attack efficiency and hindering comprehensive vulnerability assessment. In this work, we conduct a token-level analysis of refusal behavior and observe that token contributions are highly skewed rather than uniform. Moreover, we find strong cross-model consistency in refusal tendencies, enabling the use of a surrogate model to estimate token-level contributions to the target model's refusals. Motivated by these findings, we propose TriageFuzz, a token-aware jailbreak fuzzing framework that adapts the fuzz testing approach with a series of customized designs. TriageFuzz leverages a surrogate model to estimate the contribution of individual tokens to refusal behaviors, enabling the identification of sensitive regions within the prompt. Furthermore, it incorporates a refusal-guided evolutionary strategy that adaptively weights candidate prompts with a lightweight scorer to steer the evolution toward bypassing safety constraints. Extensive experiments on six open-source LLMs and three commercial APIs demonstrate that TriageFuzz achieves comparable attack success rates (ASR) with significantly reduced query costs. Notably, it attains a 90% ASR with over 70% fewer queries compared to baselines. Even under an extremely restrictive budget of 25 queries, TriageFuzz outperforms existing methods, improving ASR by 20-40%.

翻译：大语言模型（LLMs）已广泛部署，但容易受到越狱提示的攻击，这些提示会引发违反政策的输出。尽管先前的研究已揭示这些风险，但它们通常在进行提示突变时将所有的Token视为同等重要，忽视了单个Token在触发模型拒答行为方面的不同贡献。因此，这些攻击在查询受限场景下引入了大量冗余搜索，降低了攻击效率并阻碍了全面的脆弱性评估。在本工作中，我们对拒答行为进行了Token级分析，观察到Token的贡献高度偏态而非均匀。此外，我们发现拒答倾向存在强跨模型一致性，这使得能够利用替代模型来估计目标模型拒答行为的Token级贡献。受这些发现启发，我们提出了TriageFuzz，一个Token感知的越狱模糊测试框架，该框架通过一系列定制化设计适配模糊测试方法。TriageFuzz利用替代模型估计单个Token对拒答行为的贡献，从而能够识别提示中的敏感区域。此外，它采用了一种拒答引导的进化策略，通过轻量级评分器自适应地加权候选提示，从而引导进化过程绕过安全约束。在六个开源大语言模型和三个商业API上进行的广泛实验表明，TriageFuzz在显著降低查询成本的情况下实现了可比的攻击成功率（ASR）。值得注意的是，与基线方法相比，它在减少超过70%查询次数的条件下实现了90%的ASR。即使在极其有限的25次查询预算下，TriageFuzz也优于现有方法，将ASR提高了20-40%。