Large Language Models (LLMs) are improving at an exceptional rate. With the advent of agentic workflows, multi-turn dialogue has become the de facto mode of interaction with LLMs for completing long and complex tasks. While LLM capabilities continue to improve, they remain increasingly susceptible to jailbreaking, especially in multi-turn scenarios where harmful intent can be subtly injected across the conversation to produce nefarious outcomes. While single-turn attacks have been extensively explored, adaptability, efficiency and effectiveness continue to remain key challenges for their multi-turn counterparts. To address these gaps, we present PLAGUE, a novel plug-and-play framework for designing multi-turn attacks inspired by lifelong-learning agents. PLAGUE dissects the lifetime of a multi-turn attack into three carefully designed phases (Primer, Planner and Finisher) that enable a systematic and information-rich exploration of the multi-turn attack family. Evaluations show that red-teaming agents designed using PLAGUE achieve state-of-the-art jailbreaking results, improving attack success rates (ASR) by more than 30% across leading models in a lesser or comparable query budget. Particularly, PLAGUE enables an ASR (based on StrongReject) of 81.4% on OpenAI's o3 and 67.3% on Claude's Opus 4.1, two models that are considered highly resistant to jailbreaks in safety literature. Our work offers tools and insights to understand the importance of plan initialization, context optimization and lifelong learning in crafting multi-turn attacks for a comprehensive model vulnerability evaluation.

翻译：摘要：大型语言模型（LLM）正以异常迅猛的速度持续改进。随着智能体工作流的兴起，多轮对话已成为与LLM交互以完成长周期复杂任务的主流模式。尽管LLM能力不断提升，但其仍日益易受越狱攻击的影响——尤其在多轮对话场景中，恶意意图可通过对话过程被巧妙注入以产生有害结果。现有单轮攻击虽已得到广泛研究，但针对多轮攻击的适应性、效率与有效性仍是核心挑战。为填补这些空白，本文提出PLAGUE——一种受终身学习智能体启发的创新即插即用式多轮攻击设计框架。PLAGUE将多轮攻击的生命周期解构为三个精心设计的阶段（初始化阶段、规划阶段与收尾阶段），从而实现对多轮攻击家族的系统化、信息密集性探索。评估表明，基于PLAGUE设计的红队智能体在主流模型上实现了最先进的越狱效果，攻击成功率（ASR）在同等或更少查询预算下提升超30%。尤其值得注意的是，PLAGUE在OpenAI o3与Claude Opus 4.1（安全文献中被视为高度抗越狱的两种模型）上分别实现了基于StrongReject指标的81.4%与67.3%的ASR。本研究为理解计划初始化、上下文优化及终身学习在构建多轮攻击中的重要性提供了工具与洞见，助力全面的模型脆弱性评估。