Multi-turn jailbreaks capture the real threat model for safety-aligned chatbots, where single-turn attacks are merely a special case. Yet existing approaches break under exploration complexity and intent drift. We propose SEMA, a simple yet effective framework that trains a multi-turn attacker without relying on any existing strategies or external data. SEMA comprises two stages. Prefilling self-tuning enables usable rollouts by fine-tuning on non-refusal, well-structured, multi-turn adversarial prompts that are self-generated with a minimal prefix, thereby stabilizing subsequent learning. Reinforcement learning with intent-drift-aware reward trains the attacker to elicit valid multi-turn adversarial prompts while maintaining the same harmful objective. We anchor harmful intent in multi-turn jailbreaks via an intent-drift-aware reward that combines intent alignment, compliance risk, and level of detail. Our open-loop attack regime avoids dependence on victim feedback, unifies single- and multi-turn settings, and reduces exploration complexity. Across multiple datasets, victim models, and jailbreak judges, our method achieves state-of-the-art (SOTA) attack success rates (ASR), outperforming all single-turn baselines, manually scripted and template-driven multi-turn baselines, as well as our SFT (Supervised Fine-Tuning) and DPO (Direct Preference Optimization) variants. For instance, SEMA performs an average $80.1\%$ ASR@1 across three closed-source and open-source victim models on AdvBench, 33.9% over SOTA. The approach is compact, reproducible, and transfers across targets, providing a stronger and more realistic stress test for large language model (LLM) safety and enabling automatic redteaming to expose and localize failure modes. Our code is available at: https://github.com/fmmarkmq/SEMA.

翻译：多轮越狱攻击捕捉了安全对齐聊天机器人的真实威胁模型，其中单轮攻击仅是一种特例。然而，现有方法因探索复杂性和意图漂移问题而失效。我们提出了SEMA，一个简单而有效的框架，它无需依赖任何现有策略或外部数据即可训练多轮攻击者。SEMA包含两个阶段。预填充自调优通过微调非拒绝、结构良好、多轮对抗性提示（这些提示由最小前缀自生成）来实现可用的轨迹，从而稳定后续学习。带有意图漂移感知奖励的强化学习训练攻击者生成有效的多轮对抗性提示，同时保持相同的有害目标。我们通过结合意图对齐、合规风险和细节程度的意图漂移感知奖励，在多轮越狱攻击中锚定有害意图。我们的开环攻击机制避免了对受害者反馈的依赖，统一了单轮和多轮设置，并降低了探索复杂性。在多个数据集、受害者模型和越狱评判器上，我们的方法实现了最先进的攻击成功率，优于所有单轮基线、手动脚本和模板驱动的多轮基线，以及我们的监督微调和直接偏好优化变体。例如，在AdvBench上，SEMA在三个闭源和开源受害者模型上平均达到80.1%的ASR@1，比现有最优方法高出33.9%。该方法紧凑、可复现，并可跨目标迁移，为大型语言模型的安全性提供了更强、更现实的压力测试，并支持通过自动红队测试来暴露和定位故障模式。我们的代码发布于：https://github.com/fmmarkmq/SEMA。