Jailbreak attacks pose significant threats to large language models (LLMs), enabling attackers to bypass safeguards. However, existing reactive defense approaches struggle to keep up with the rapidly evolving multi-turn jailbreaks, where attackers continuously deepen their attacks to exploit vulnerabilities. To address this critical challenge, we propose HoneyTrap, a novel deceptive LLM defense framework leveraging collaborative defenders to counter jailbreak attacks. It integrates four defensive agents, Threat Interceptor, Misdirection Controller, Forensic Tracker, and System Harmonizer, each performing a specialized security role and collaborating to complete a deceptive defense. To ensure a comprehensive evaluation, we introduce MTJ-Pro, a challenging multi-turn progressive jailbreak dataset that combines seven advanced jailbreak strategies designed to gradually deepen attack strategies across multi-turn attacks. Besides, we present two novel metrics: Mislead Success Rate (MSR) and Attack Resource Consumption (ARC), which provide more nuanced assessments of deceptive defense beyond conventional measures. Experimental results on GPT-4, GPT-3.5-turbo, Gemini-1.5-pro, and LLaMa-3.1 demonstrate that HoneyTrap achieves an average reduction of 68.77% in attack success rates compared to state-of-the-art baselines. Notably, even in a dedicated adaptive attacker setting with intensified conditions, HoneyTrap remains resilient, leveraging deceptive engagement to prolong interactions, significantly increasing the time and computational costs required for successful exploitation. Unlike simple rejection, HoneyTrap strategically wastes attacker resources without impacting benign queries, improving MSR and ARC by 118.11% and 149.16%, respectively.

翻译：越狱攻击对大型语言模型构成重大威胁，使攻击者能够绕过安全防护机制。然而，现有的被动防御方法难以应对快速演进的多轮次越狱攻击，攻击者通过持续深化攻击策略来利用系统漏洞。为应对这一关键挑战，我们提出HoneyTrap——一种创新的欺骗性LLM防御框架，通过协同防御智能体来对抗越狱攻击。该框架整合了四个防御智能体：威胁拦截器、误导控制器、取证追踪器和系统协调器，每个智能体执行专门的安全职能并协同完成欺骗性防御。为确保全面评估，我们构建了MTJ-Pro——一个具有挑战性的多轮渐进式越狱数据集，融合了七种先进的越狱策略，旨在多轮攻击中逐步深化攻击策略。此外，我们提出了两个创新评估指标：误导成功率与攻击资源消耗率，这些指标能够提供比传统度量更精细的欺骗性防御评估。在GPT-4、GPT-3.5-turbo、Gemini-1.5-pro和LLaMa-3.1上的实验结果表明，相较于最先进的基线方法，HoneyTrap平均降低攻击成功率68.77%。值得注意的是，即使在强化条件下的专用自适应攻击者场景中，HoneyTrap仍保持弹性防御能力，通过欺骗性交互延长对抗时间，显著增加成功利用漏洞所需的时间与计算成本。与简单拒绝策略不同，HoneyTrap在不影响良性查询的前提下，战略性地消耗攻击者资源，使误导成功率和攻击资源消耗率分别提升118.11%和149.16%。