Large Language Models (LLMs) face prominent security risks from jailbreaking, a practice that manipulates models to bypass built-in security constraints and generate unethical or unsafe content. Among various jailbreak techniques, multi-turn jailbreak attacks are more covert and persistent than single-turn counterparts, exposing critical vulnerabilities of LLMs. However, existing multi-turn jailbreak methods suffer from two fundamental limitations that affect the actual impact in real-world scenarios: (a) As models become more context-aware, any explicit harmful trigger is increasingly likely to be flagged and blocked; (b) Successful final-step triggers often require finely tuned, model-specific contexts, making such attacks highly context-dependent. To fill this gap, we propose \textit{Salami Slicing Risk}, which operates by chaining numerous low-risk inputs that individually evade alignment thresholds but cumulatively accumulate harmful intent to ultimately trigger high-risk behaviors, without heavy reliance on pre-designed contextual structures. Building on this risk, we develop Salami Attack, an automatic framework universally applicable to multiple model types and modalities. Rigorous experiments demonstrate its state-of-the-art performance across diverse models and modalities, achieving over 90\% Attack Success Rate on GPT-4o and Gemini, as well as robustness against real-world alignment defenses. We also proposed a defense strategy to constrain the Salami Attack by at least 44.8\% while achieving a maximum blocking rate of 64.8\% against other multi-turn jailbreak attacks. Our findings provide critical insights into the pervasive risks of multi-turn jailbreaking and offer actionable mitigation strategies to enhance LLM security.

翻译：大型语言模型（LLMs）面临突出的安全风险，其中越狱行为——即操纵模型绕过内置安全约束生成不道德或有害内容——尤为显著。在各类越狱技术中，多轮越狱攻击相比单轮攻击更具隐蔽性和持续性，暴露出LLMs的关键脆弱性。然而，现有多轮越狱方法存在两个根本性局限，影响其在真实场景中的实际效果：(a) 随着模型上下文感知能力增强，显性有害触发词越来越容易被标记并拦截；(b) 成功的最终步骤触发词通常需要精细调整的、针对特定模型上下文，使得此类攻击高度依赖具体情境。为填补这一空白，我们提出"切片式风险"概念，其运作原理是串联大量低风险输入——这些输入单独规避对齐阈值，但累积之下会汇聚有害意图，最终触发高风险行为，且无需过度依赖预设计的上下文结构。基于此风险，我们开发了Salami Attack，一种自动攻击框架，可普遍适用于多种模型类型与模态。严格实验表明，该框架在多种模型与模态上展现最先进性能，在GPT-4o和Gemini上攻击成功率超过90%，并对现实对齐防御具有鲁棒性。我们还提出了一种防御策略，可将Salami Attack的效力至少限制44.8%，同时针对其他多轮越狱攻击实现最高64.8%的拦截率。本研究的发现为多轮越狱的普遍风险提供了关键见解，并提出了可操作缓解策略以增强LLM安全性。