Papers
Topics
Authors
Recent
Search
2000 character limit reached

ForgeDAN: Evolutionary Jailbreak Framework

Updated 3 July 2026
  • ForgeDAN is a black-box evolutionary jailbreak framework that generates semantically coherent adversarial prompts to bypass LLM alignment safeguards.
  • It employs a multi-strategy mutation engine—operating at character, word, and sentence levels—with an embedding-based semantic fitness function to optimize prompt modification.
  • A dual-dimensional jailbreak judgment system, evaluating both compliance and harmfulness, ensures high attack success in diverse large language models.

Searching arXiv for ForgeDAN and closely related entries to ground the article in the relevant paper. ForgeDAN is a black-box, evolutionary jailbreak framework for generating adversarial prompts that can bypass alignment safeguards in LLMs. It is presented as an advance over prior automated jailbreak methods such as AutoDAN-HGA and GCG, with the stated objective of generating semantically coherent adversarial prompts, achieving high attack success rate (ASR), and remaining sufficiently stealthy/natural to evade simple detectors. The framework combines multi-strategy textual perturbations across character, word, and sentence levels, semantic fitness evaluation based on embedding similarity, and dual-dimensional jailbreak judgment using two LLM-based classifiers to assess compliance and harmfulness separately (Cheng et al., 17 Nov 2025).

1. Problem formulation and threat model

ForgeDAN is designed for a setting in which the attacker can query a target LLM and observe outputs, but does not have access to model parameters, gradients, or training data. The attacker is assumed to know general LLM alignment behavior and common safety mechanisms, and seeks to construct a prompt prefix tt^* that, when concatenated with a malicious payload goalgoal, causes the model to comply rather than refuse and to output harmful content (Cheng et al., 17 Nov 2025).

The paper formalizes this objective as a constrained optimization problem: t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))] subject to semantic preservation: Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau where MM is the target LLM, t0t_0 is the original seed template, goalgoal is the malicious payload, Bypass()\mathrm{Bypass}(\cdot) returns whether the response is both non-refusal and harmful, Sim\mathrm{Sim} is a similarity measure, and τ\tau is a similarity threshold (Cheng et al., 17 Nov 2025).

This formulation makes the search space explicitly discrete, non-differentiable, and constrained. A plausible implication is that ForgeDAN is intended as a search procedure for realistic prompt engineering rather than for suffix optimization in gradient-access settings. The paper explicitly contrasts this objective with methods that produce garbage-like or gibberish adversarial strings, emphasizing instead human-readable DAN-style prompts (Cheng et al., 17 Nov 2025).

2. Evolutionary search procedure

ForgeDAN is implemented as an evolutionary algorithm. It begins from a malicious seed template, repeatedly mutates candidate prompts, evaluates them semantically, and verifies whether the resulting model output constitutes a successful jailbreak. The process continues until a successful candidate is found or a maximum number of iterations is reached (Cheng et al., 17 Nov 2025).

The algorithm takes as input the initial template goalgoal0, malicious payload goalgoal1, expected output or harmful reference goalgoal2, maximum iterations goalgoal3, population size goalgoal4, and elite size goalgoal5. Its high-level structure is as follows:

  1. Initialize a population by mutating goalgoal6 into goalgoal7 variants.
  2. For each generation, compute the fitness of each candidate.
  3. Select the best candidate goalgoal8.
  4. Perform jailbreak judgment on that candidate.
  5. If successful, return it.
  6. Otherwise, preserve the top-goalgoal9 elite prompts and mutate the remaining candidates to produce the next generation (Cheng et al., 17 Nov 2025).

The pseudocode is given in the paper as: t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]0 with initialization of t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]1 from mutated variants of t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]2, a running best prompt t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]3, iterative fitness computation, elite preservation, and mutation of non-elites into t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]4 offspring (Cheng et al., 17 Nov 2025).

The default implementation uses:

  • t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]5
  • t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]6
  • t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]7

These settings are described as balancing efficiency and performance (Cheng et al., 17 Nov 2025). The discussion section further states that ForgeDAN is more efficient than PAIR, with parallelized evaluation and roughly t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]8 per sample, and that the prototype was implemented on 2 NVIDIA A100 GPUs, a 32-core CPU, and 128 GB RAM. The framework is built on garak, a security probing pipeline (Cheng et al., 17 Nov 2025).

3. Multi-strategy textual perturbations

The mutation engine is a central component of ForgeDAN. The paper presents it as a response to the limited mutation diversity of earlier jailbreak systems. Rather than relying on a single mutation trajectory, ForgeDAN applies multiple perturbation strategies at three linguistic levels: character, word, and sentence (Cheng et al., 17 Nov 2025).

At the character level, the goal is to preserve readability while evading naive filters. The examples given are:

  • Homoglyph substitution: bomb → b0mb
  • Neighbor swap: attack → atackk
  • Character insertion: hack → haXck
  • Character deletion: weapon → wepon
  • Character replacement: kill → k!ll (Cheng et al., 17 Nov 2025)

At the word level, mutations operate on lexical content while aiming to preserve semantics. The paper gives:

  • Synonym replacement: build a bomb → construct a bomb
  • Morphological change: encrypting → encrypted
  • Homophone substitution: weak → week
  • Paraphrase substitution: make a weapon → create a weapon (Cheng et al., 17 Nov 2025)

The paper explicitly notes that some word-level substitutions can alter meaning; the weak → week example is flagged as requiring additional similarity analysis. This is why mutation is followed by semantic filtering rather than treated as intrinsically safe (Cheng et al., 17 Nov 2025).

At the sentence level, ForgeDAN modifies prompt structure more globally. The examples given are:

  • Syntactic restructuring: How to build a bomb? → The process of bomb building is...
  • Clause reordering: Step A then Step B → Step B follows Step A (Cheng et al., 17 Nov 2025)

These operations are intended to improve naturalness and increase variation while maintaining harmful intent. The mutation module is described as plugin-based, dynamically extensible, and organized as a library of operators, so operators can be added or removed without changing the whole framework (Cheng et al., 17 Nov 2025).

The mutation procedure is explicitly constrained by semantic validation. At each iteration, a perturbation strategy is sampled from the mutation library, applied to a candidate prompt t=maxtX  P[Bypass(M(t,goal))]t^{*} = \max_{t \in X} \; P[\mathrm{Bypass}(M(t,goal))]9 to produce Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau0, and retained only if: Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau1 Invalid candidates are discarded before fitness evaluation (Cheng et al., 17 Nov 2025). This suggests that ForgeDAN attempts to maximize mutation diversity without allowing the search to drift away from the original malicious intent.

4. Semantic fitness and dual-dimensional jailbreak judgment

ForgeDAN’s second major component is its semantic fitness function, introduced as a replacement for shallow lexical metrics such as Jaccard similarity. The paper argues that lexical overlap is inadequate because semantically equivalent outputs may differ substantially in wording; for example, assemble an explosive device and construct a bomb may share little token overlap while expressing similar meaning (Cheng et al., 17 Nov 2025).

The framework therefore uses an embedding-based fitness function: Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau2 where Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau3 is a pretrained text encoder, Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau4 is the model response to the candidate prompt and payload, Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau5 is the harmful reference response, and Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau6 is cosine similarity (Cheng et al., 17 Nov 2025).

The score measures how semantically close the model’s response is to a known harmful reference. Higher-scoring candidates are preserved, lower-scoring ones are discarded, and elite candidates are carried across generations. The default encoder is RoBERTa, though the paper states that the framework is extensible to other encoders such as Sentence-BERT or domain-specific embeddings (Cheng et al., 17 Nov 2025).

The paper characterizes this fitness measure as semantic, interpretable, and robust to paraphrase. It contrasts the method with AutoDAN-HGA’s cross-entropy or lexical heuristics, which it describes as more opaque and less interpretable (Cheng et al., 17 Nov 2025). Within the ablation study, semantic fitness emerges as the most important single component: replacing it with an AutoDAN-HGA-style cross-entropy metric causes performance to fall to as low as 5.77% on Gemma-2-9B and 12.12% on TranSpec-13B (Cheng et al., 17 Nov 2025).

The third major component is dual-dimensional jailbreak judgment, which addresses the weakness of keyword-based detection. In ForgeDAN, a jailbreak is counted as successful only when the output is both compliant and harmful. This is formalized through two classifiers: Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau7

Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau8

with success defined as: Sim(t,t0)τ\mathrm{Sim}(t, t_0) \geq \tau9 (Cheng et al., 17 Nov 2025)

The paper organizes outcomes into a MM0 decision matrix:

  • Refuse + Safe → refusal
  • Refuse + Harmful → blocked refusal with harmful trace
  • Comply + Safe → compliant but safe
  • Comply + Harmfulsuccessful jailbreak (Cheng et al., 17 Nov 2025)

This separation of behavior and content is intended to reduce false positives, false negatives, and ambiguous success judgments. In ablation, replacing dual-dimensional judgment with keyword matching leads to severe degradation, including Qwen2.5-7B: 87.50% → 1.92% and DeepSeek-V3: 58.65% → 10.19% (Cheng et al., 17 Nov 2025). The result supports the paper’s claim that keyword matching is brittle because it can miss paraphrases, overcount partial harmful traces, and confuse mere non-refusal with genuine harmful compliance.

5. Evaluation protocol and empirical results

ForgeDAN is evaluated on 3 open-source LLMs and 1 domain-specific proprietary model:

  • Qwen2.5-7B
  • Gemma-2-9B
  • DeepSeek-V3
  • TranSpec-13B, described as a 9B parameter domain-specific Transformer-based model used as a reference name in the paper (Cheng et al., 17 Nov 2025)

The baselines are:

Two datasets are used. The first is AdvBench, comprising 520 malicious request samples, each paired with a verified reference response and divided into 7 categories using TF-IDF plus manual annotation: profanity, dangerous or illegal suggestions, cyber-crime, misinformation, threatening behavior, graphic depictions, and discrimination. The second is a real-world dataset containing 137 harmful chat records extracted from operational logs of an anonymized AI enterprise and labeled with the same 7 categories (Cheng et al., 17 Nov 2025). The main metric is Attack Success Rate (ASR), defined in accordance with the dual-dimensional judgment criterion (Cheng et al., 17 Nov 2025).

On AdvBench, ForgeDAN reports the following ASR results:

Model ForgeDAN Best Baseline
DeepSeek-V3 58.65% 35.00% (PAIR)
Gemma-2-9B 98.27% 23.65% (DAN)
Qwen2.5-7B 87.50% 40.58% (PAIR/DAN reported at same level in table)
TranSpec-13B 55.00% 46.92% (PAIR)

The paper states that ForgeDAN is consistently best, with especially large gains on Gemma-2-9B and Qwen2.5-7B. It also reports that GCG performs very poorly across all models, generally below 4%, while AutoDAN-HGA is better but unstable, PAIR can be competitive, and DAN is sometimes decent but inconsistent (Cheng et al., 17 Nov 2025).

The generalization analysis evaluates transfer from one malicious payload to another within AdvBench. ForgeDAN again leads:

Model ForgeDAN Best Baseline
DeepSeek-V3 61.54% 14.42% (AutoDAN-HGA)
Gemma-2-9B 98.46% 23.65%
Qwen2.5-7B 87.12% 62.88% (AutoDAN-HGA)
TranSpec-13B 54.23% 43.46%

The paper interprets these results as evidence that ForgeDAN generalizes well across payloads and is not overfit to a single malicious query (Cheng et al., 17 Nov 2025).

On the real-world dataset, ForgeDAN remains the strongest method:

Model ForgeDAN Best Baseline
DeepSeek-V3 57.66% 22.63% (AutoDAN-HGA)
Gemma-2-9B 100.00% 43.07% (DAN)
Qwen2.5-7B 89.05% 51.82% (DAN)
TranSpec-13B 56.20% 46.72% (DAN)

This is presented as evidence that ForgeDAN transfers from benchmark prompts to operationally sourced harmful requests (Cheng et al., 17 Nov 2025).

6. Ablation, limitations, and significance

The ablation study isolates three major components: mutation mechanism, semantic fitness, and dual-dimensional judgment. The simplified replacements are, respectively, synonym substitution only, AutoDAN-HGA-style cross-entropy fitness, and keyword matching (Cheng et al., 17 Nov 2025).

Removing the full multi-strategy mutation mechanism has a moderate effect: ASR remains relatively high, around 55.96%–97.88%, which the paper interprets as showing that even simple synonym substitution can still produce useful attacks. However, the full mutation set improves diversity and stability (Cheng et al., 17 Nov 2025).

Removing semantic fitness produces the most severe collapse, down to 5.77% on Gemma-2-9B and 12.12% on TranSpec-13B. Replacing dual-dimensional judgment with keyword matching also causes sharp performance loss, including the previously noted catastrophic drops on Qwen2.5-7B and DeepSeek-V3 (Cheng et al., 17 Nov 2025). Taken together, these findings indicate that the two most consequential design choices are semantically guided search and semantically grounded success verification.

Although the paper does not report formal naturalness scores such as perplexity or human-likeness metrics, it repeatedly claims improvements in naturalness, stealth, and semantic coherence. These claims are tied to three design choices: mutations that preserve readability, semantic filtering that prevents degenerate candidates, and DAN-style prompt prefixes rather than gibberish suffixes (Cheng et al., 17 Nov 2025). A plausible implication is that ForgeDAN’s attack surface includes not only alignment failure but also the limitations of simplistic detectors that rely on obvious lexical or format-based anomalies.

The discussion section implies several limitations. The mutation library remains manually designed, even if extensible. Semantic fitness depends on the quality of the embedding encoder. The real-world dataset is proprietary and drawn from one enterprise, so broader domain generality is not fully established. Cross-model behavior varies, and the paper notes that exact causes are hard to determine because safety-training details are often undisclosed. The method is framed for red teaming, but the paper also acknowledges that, like any jailbreak framework, it could be misused (Cheng et al., 17 Nov 2025).

Within the jailbreak literature, ForgeDAN’s principal significance lies in how it redefines automated DAN-style attack generation as a semantically constrained evolutionary search problem. Its key design pattern is the combination of diverse prompt mutation, embedding-based semantic fitness, and dual-dimensional success verification. The paper’s results suggest that these components jointly improve ASR, transferability, robustness, and the reliability of success detection in black-box settings (Cheng et al., 17 Nov 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to ForgeDAN.