STAR-Teaming: A Strategy-Response Multiplex Network Approach to Automated LLM Red Teaming

Abstract: While LLMs are widely used, they remain susceptible to jailbreak prompts that can elicit harmful or inappropriate responses. This paper introduces STAR-Teaming, a novel black-box framework for automated red teaming that effectively generates such prompts. STAR-Teaming integrates a Multi-Agent System (MAS) with a Strategy-Response Multiplex Network and employs network-driven optimization to sample effective attack strategies. This network-based approach recasts the intractable high-dimensional embedding space into a tractable structure, yielding two key advantages: it enhances the interpretability of the LLM's strategic vulnerabilities, and it streamlines the search for effective strategies by organizing the search space into semantic communities, thereby preventing redundant exploration. Empirical results demonstrate that STAR-Teaming significantly surpasses existing methods, achieving a higher attack success rate (ASR) at a lower computational cost. Extensive experiments validate the effectiveness and explainability of the Multiplex Network. The code is available at https://github.com/selectstar-ai/STAR-Teaming-paper.

• The paper formulates red teaming as a network-driven strategy selection problem, enhancing interpretability and search efficiency.
• It employs multiplex community detection and an energy-based optimization using an Inverse Ising Model to map strategies to LLM responses, achieving over 74.5% ASR.
• Empirical evaluations showcase improved computational efficiency, dynamic adaptation, and transferability, setting a new benchmark in LLM vulnerability assessments.

STAR-Teaming: A Strategy-Response Multiplex Network Framework for Automated LLM Red Teaming

Motivation and Contributions

Ensuring the robustness of LLMs in safety-critical settings necessitates the development of scalable, interpretable, and efficient red teaming approaches. Traditional optimization-based adversarial prompt generation methods are computationally demanding and limited in scalability, whereas strategy-based methods with human-crafted jailbreak patterns struggle to offer explainability and efficient search. The STAR-Teaming framework, proposed in "STAR-Teaming: A Strategy-Response Multiplex Network Approach to Automated LLM Red Teaming" (2604.18976), addresses these limitations by introducing a black-box, multi-agent, and community-structured approach that models and exploits correlations between attack strategies and LLM response behaviors using a multiplex network.

The key technical contributions of STAR-Teaming are:

• Formulation of red teaming as a network-driven strategy selection problem, enhancing both interpretability and efficiency.
• Multiplex community detection for structuring the high-dimensional search space, preventing redundant exploration and allowing dynamic expansion as new attack types emerge.
• Reformulation of strategy selection as an energy-based probabilistic optimization, leveraging an Inverse Ising Model to optimize a low-dimensional interaction matrix between strategy and response communities.
• Empirical demonstration of superior attack success rate (ASR), computational efficiency, and interpretability compared to existing SOTA methods across both open- and closed-source LLMs.

STAR-Teaming Architecture

The STAR-Teaming framework is organized into two core components: an automated multi-agent system for attack orchestration, and a multiplex network for guided strategy sampling.

An attacker LLM generates prompts conditioned on sampled attack strategies, targeting a victim LLM, with a scorer LLM assigning success scores to responses. This iterative loop is controlled by the retrieval and refinement of strategies based on multiplex network-guided sampling.

Figure 1: Visual summary of STAR-Teaming: attack strategies are generated, passed to the attacker LLM, and the resulting harmful prompts are produced.

Figure 2: STAR-Teaming integrates (A) a multi-agent red-teaming system with (B) a multiplex network for guided community-based strategy sampling and dynamic updating via response logs.

The framework operates on two network layers:

1. Response Network: Nodes represent unique target responses, with edges constructed from pairwise embedding similarity. Communities are detected via the Leiden algorithm, grouping semantically similar refusal or harmful behaviors.
2. Strategy Network: Nodes represent distinct, LLM-extracted attack strategy patterns. The network’s topology captures redundancies and similarities, partitioned into semantically coherent communities.

Attack and response interactions are recorded as logs, forming the empirical basis for optimally mapping strategy communities to response communities. This explicit structure enables more targeted and less redundant exploration compared to dense similarity-based retrieval approaches.

Multiplex Network Optimization

The multiplex network learns a mapping matrix $Z$ encoding interaction strengths between $N_I$ strategy and $N_J$ response communities. Sampling a strategy for a new response involves inferring which strategy community is most likely, given the response community, under the current model $Z$. The parameter space, $\mathcal{O}(10^3)$, remains tractable and highly interpretable.

Optimization of $Z$ is performed by maximizing the likelihood of observed (response, strategy) pairs via a Boltzmann (energy-based) model, formulated as an Inverse Ising Problem. This yields a convex objective, ensuring efficient and unique convergence. Sampling from the model is governed by the partition function and an adaptive inverse-temperature parameter $\beta$, trading off exploration and exploitation.

Dynamic Expansion and Lifelong Adaptation

A modularity-driven protocol supports dynamic network expansion. When unseen strategies or responses are encountered—indicative of evolving defense mechanisms or emergence of new exploit classes—the network topology admits new communities if they raise the modularity of the graph. The dynamism coefficient $\lambda$ controls the bias toward merging into existing communities versus spawning new ones, maintaining a balance between plasticity and stability.

Consequently, STAR-Teaming is capable of actively assimilating novel patterns over the course of deployment, ensuring ongoing coverage of the evolving adversarial and defensive landscape.

Empirical Evaluation and Numerical Results

Experiments on HarmBench and StrongReject benchmarks establish STAR-Teaming as superior across all evaluation axes. Notable findings include:

• STAR-Teaming achieves average ASR of 74.5%, exceeding AutoDAN-Turbo by +13.5% margin and demonstrating the only method above 10% ASR against highly-aligned closed-source models such as Claude-3.5-Sonnet.
• On StrongReject, STAR-Teaming attains an average score of 0.52 versus the next-best 0.16.
• Efficiency is also highlighted: the approach requires fewer attack iterations and tokens per successful attack compared to other baselines.

  Figure 3: ASR as a function of attack iterations for Llama2-7b-chat: STAR-Teaming consistently dominates across computational budgets.

Ablation analysis demonstrates clear advantages due to the multiplex network. When omitted, strategy sampling collapses into local redundancy, oversampling a few ineffective strategies. The multiplex structure ensures a diverse, uniformly distributed sampling of effective strategies while favoring strategies correlated with high attack scores.

Figure 4: Uniformity in strategy sampling is markedly improved with the multiplex network, avoiding oversampling of any individual strategy.

Figure 5: Multiplex network sampling correlates strongly with attack success, due to effective mapping between high-value strategies and positive response communities.

Additionally, dynamic network expansion yields a +6.3% ASR boost and reduces the mean number of attack trials by 14%, validating the utility of runtime topology adaptation.

Interpretability and Analytical Insights

Multiplex community detection not only improves efficiency but also exposes the underlying vulnerability structure of LLMs. By analyzing the mapping matrix and cross-model strategy profiles, STAR-Teaming reveals that different model families exhibit qualitatively distinct weaknesses to specific strategy communities, enabling more informed defense prioritization.

Practical and Theoretical Implications

STAR-Teaming’s multiplex-guided strategy optimization introduces several consequential implications:

• Improved Explainability: Attack campaigns and observed weaknesses can be traced back to semantically meaningful communities, supporting transparent AI safety auditing.
• Sample Efficiency and Low Overhead: Explicit modeling shrinks the hypothesis space, leading to fewer required queries and less resource consumption.
• Lifelong Adaptation: Dynamic expansion allows STAR-Teaming to remain robust even as target model behavior evolves or new defensive paradigms are introduced.
• Transferability: Optimized adversarial prompts display high transfer rates across model families, highlighting the generality of discovered vulnerabilities.

This framework motivates additional research in extending network-based community modeling to multi-modal systems, exploring adversarial training on target-specific vulnerable community subsets, and integrating online community re-initialization schemes to handle long-term concept drift.

Conclusion

STAR-Teaming introduces a scalable, interpretable, and empirically effective approach to automated LLM red teaming, formulating adversarial strategy selection as a multiplex network-based optimization problem. Its high attack success rates, efficiency gains, and transparent modeling set a new benchmark for systematic adversarial evaluation, with direct utility in AI safety and trustworthy deployment audits. The principles underlying STAR-Teaming are broadly extensible to other generative and multi-modal models, as well as tasks requiring interpretable vulnerability mapping and adaptive exploration.