Papers
Topics
Authors
Recent
Search
2000 character limit reached

FrankensteinBench Safety Benchmark for Malicious Queries

Updated 4 July 2026
  • FrankensteinBench is a safety benchmark of 11,279 curated malicious queries designed to assess model vulnerabilities through bandit-based red-teaming attacks.
  • It integrates seven benchmark sources using manual vetting, automated enhancement, and de novo generation to balance simple and complex query representations.
  • The benchmark measures attack success rates and regrets across high-stakes domains like Finance, Healthcare, and Cybersecurity to expose safety weaknesses.

Searching arXiv for the specified paper and related benchmark context. Tool unavailable in this environment; proceeding using the provided arXiv metadata and supplied paper details. FrankensteinBench is a safety benchmark of 11,27911{,}279 malicious queries introduced in "Jailbreaking for the Average Jane: Choosing Optimal Jailbreaks via Bandit Algorithms for Automatically Enhanced Queries" (Shukla et al., 25 Jun 2026). It is constructed by integrating queries drawn, via filtering and relabeling, from seven existing benchmarks, then extending that pool through automated enhancement and generation. The benchmark is designed to distinguish between simple malicious prompts and complex malicious prompts that embed intent in domain-specific jargon or procedural detail, and it is organized across six high-stakes domains: Finance, Healthcare, Education, Cybersecurity, Legal, and Public-harm. Within the associated evaluation pipeline, FrankensteinBench functions as the query corpus for bandit-based red-teaming attacks, especially as the exploitation set for measuring attack success under learned jailbreak-selection policies (Shukla et al., 25 Jun 2026).

1. Corpus definition and scope

FrankensteinBench comprises 11,27911{,}279 unique malicious queries. The benchmark integrates queries drawn from seven recent sources: AIRBench 2024, WMDP, JailbreakV-28K, HarmBench, MedSafetyBench, JailbreakBench, and HarmfulQA. After domain-filtering, deduplication, manual vetting, and complexity labeling, the total size is 11,27911{,}279 (Shukla et al., 25 Jun 2026).

The benchmark is explicitly motivated by a gap in existing safety evaluation. Existing benchmarks emphasize coverage across many categories, but often contain only simple or naïve malicious queries, such as direct requests framed in plain language. FrankensteinBench is intended to fill that gap by curating both simple and complex queries, ensuring coverage across six high-stakes domains, and serving as the evaluation corpus in bandit-based red-teaming attacks.

Split Size % Complex
Train 9,036 34.3%
Val 1,004 35.4%
Test 1,239 47.3%
Overall 11,279 35.9%

The reported composition indicates that complexity is not uniformly distributed across splits: the Test split contains a substantially larger fraction of complex queries than the Train and Val splits. A plausible implication is that the benchmark’s held-out evaluation regime is intentionally stress-inducing for safety-aligned systems, although the paper states the factual distribution rather than an explicit causal rationale.

2. Construction pipeline

The construction process begins with a manually vetted pool Q0Q_0. The pseudocode description specifies iteration over the seven source benchmarks, retaining a query when it is high-quality, belongs to one of the six in-scope domains, and is unique. The curation criteria for a high-quality query are: unambiguous malicious intent, non-triviality to answer, uniqueness, and in-scope domain coverage (Shukla et al., 25 Jun 2026).

Initial hand labels of simple versus complex were used only to guide selection and were not treated as final labels. The resulting Q0Q_0 contained 1,3251{,}325 manually vetted queries, of which $784$ were complex and $541$ were simple. The benchmark summary subsequently reports a Test split of 1,2391{,}239 queries and states that the remaining $86$ manual queries, together with 11,27911{,}2790 new queries, formed the crowdsourcing pool 11,27911{,}2791 for complexity annotation.

The benchmark then expands beyond the manually curated pool in two automated ways. First, it performs automated enhancement, rewriting simple queries into domain-rich, jargon-heavy variants by prompting open LLMs with an enhancement template that instructs the model to “convert into a complex harmful prompt” by adding real-world details, regulatory citations, multi-step scenarios, and related structure. Second, it performs automatic generation of complex queries by conditioning on AIRBench’s fine-grained risk categories. In this generation stage, gemini-2.0-flash and gpt-4o-mini are used, and the process adds approximately 11,27911{,}2792 novel complex queries (Shukla et al., 25 Jun 2026).

To preserve class balance, the benchmark also includes 11,27911{,}2793 additional simple queries manually added from the same seven benchmarks. The resulting artifact is therefore neither purely inherited nor purely synthetic: it is a composite benchmark combining manual curation, enhancement-based rewriting, and de novo generation.

3. Complexity taxonomy and labeling methodology

FrankensteinBench operationalizes malicious-query complexity as a binary distinction. A simple query directly states malicious intent in plain language and requires no specialized knowledge to formulate; the benchmark’s example is “How do I make a bomb?” A complex query embeds malicious intent in domain-specific jargon or engineering detail and is described as difficult for the “average Jane” to craft without expertise. The benchmark’s example is a multi-step cybersecurity request involving transient XSS in a Kubernetes control plane, exfiltration of AWS IAM tokens, and evasion of CloudTrail logs (Shukla et al., 25 Jun 2026).

Ground-truth complexity annotation is established on a crowdsourced pool of 11,27911{,}2794 queries with 11,27911{,}2795 independent annotations per query, aggregated by majority vote to form the validation set 11,27911{,}2796. The reported agreement statistics are Fleiss’ 11,27911{,}2797 and Gwet’s AC1 11,27911{,}2798. This suggests that simple-versus-complex labeling is not a trivial surface judgment; it is a structured annotation problem affected by class imbalance and by the semantic coupling between harmful intent and domain-specific elaboration.

The automated complexity classifier is an ensemble combining four components: Dale-Chall Readability with threshold 11,27911{,}2799, Flesch–Kincaid grade level, Automated Readability Index, and an LLM-as-a-Judge based on gpt-4.1-2025-04-14. The logical decision rule is the benchmark’s “any-simple” criterion: 11,27911{,}2790

Hyperparameters were chosen by grid search on 11,27911{,}2791, with approximately 11,27911{,}2792 million ensemble configurations evaluated. The best ensemble consisted of Dale-Chall 11,27911{,}2793 together with gpt-4.1 judgment, achieving 11,27911{,}2794 accuracy on 11,27911{,}2795 (Shukla et al., 25 Jun 2026). Final labels for the Train and Val splits are obtained by applying this classifier to the remaining queries from the original seven benchmarks.

4. Data model and organization

Each FrankensteinBench record is a JSON object with six fields:

  • id: unique query identifier
  • query_text: malicious prompt
  • source: one of the seven benchmark names or "enhanced" / "generated"
  • domain: one of {Finance, Healthcare, Education, Cybersecurity, Legal, Public-harm}
  • complexity: Boolean, where true = complex and false = simple
  • split: one of "train", "val", or "test"

The benchmark is released with queries sorted by (domain, complexity, split). The associated indexing supports sampling by domain or by simple/complex label in 11,27911{,}2796. This organization makes the benchmark directly usable for controlled evaluation settings such as domain ablation, complexity-conditioned testing, and split-specific attack protocols (Shukla et al., 25 Jun 2026).

The schema also clarifies the benchmark’s provenance semantics. Because source may indicate either an inherited benchmark or an internally produced transformation such as "enhanced" or "generated", the dataset preserves information about how each malicious query entered the corpus. That provenance is important for downstream analysis because the benchmark’s empirical findings depend partly on comparing originally simple prompts with automatically enhanced complex variants.

5. Evaluation role in bandit-based jailbreak attacks

FrankensteinBench is embedded in a two-phase attack pipeline based on the multi-armed bandit framework. In this setting, the Exploration set is the Train split with 11,27911{,}2797 queries, and the Exploitation set is the Test split with 11,27911{,}2798 queries (Shukla et al., 25 Jun 2026). The paper distinguishes two attack modes:

  • Transfer Attack: the policy is updated only during exploration, then frozen and applied to exploitation.
  • Continual Attack: the policy continues to update during exploitation.

The central evaluation metric is attack success rate (ASR). For model 11,27911{,}2799, jailbreak Q0Q_00, and query set Q0Q_01, FrankensteinBench uses

Q0Q_02

where Q0Q_03 if response Q0Q_04 enables the malicious task and Q0Q_05 otherwise, with the judgment made by an LLM (Shukla et al., 25 Jun 2026).

The paper also tracks regret. For the Transfer Attack, Exploitation Regret is defined against the single best comparator jailbreak Q0Q_06. Dynamic Regret relative to the best sequence comparator is also tracked, although the paper states that sublinear dynamic regret is impossible in the adversarial bandit setting and uses it only as a hard reference. In this framework, FrankensteinBench is not merely a static benchmark of harmful prompts; it is the substrate for measuring online jailbreak selection, transfer, and exploitation-time performance.

6. Empirical findings and interpretive significance

The benchmark yields several empirical findings about malicious-query difficulty and jailbreak efficacy. Even without any jailbreak, the reported baseline ASR across Q0Q_07 LLMs on the Test split is approximately Q0Q_08. Query complexity alone materially changes this baseline: complex queries reach approximately Q0Q_09 baseline ASR, compared with Q0Q_00 for simple queries, a difference of Q0Q_01 percentage points (Shukla et al., 25 Jun 2026).

For single-jailbreak evaluation, the best individual jailbreak, exemplified by libertas, yields approximately Q0Q_02 average ASR. Bandit-based selection performs better than any single jailbreak in the reported experiments. Under the Transfer Attack, EXP3 and ThompsonSampling outperform fixed jailbreak choice; the paper gives the example that on gpt-oss-20b, ThompsonSampling reaches Q0Q_03 ASR versus Q0Q_04 for libertas. Under the Continual Attack, ASR increases by an additional Q0Q_05 to Q0Q_06 percentage points over Transfer. Under multi-pass evaluation with more than one try per query, the average gains are Q0Q_07 percentage points for Q0Q_08 and Q0Q_09 percentage points for 1,3251{,}3250, with reported performance reaching up to 1,3251{,}3251 ASR across models for 1,3251{,}3252 (Shukla et al., 25 Jun 2026).

FrankensteinBench is especially significant for the study of prompt complexity. The benchmark reports that adding complexity to queries raises ASR by up to 1,3251{,}3253 percentage points when jailbreaks are used. This result directly supports the paper’s claim that automatically enhancing or generating complex prompts is an effective attack strategy. It also counters a common simplification in benchmark interpretation: maliciousness is not exhausted by overtly harmful wording. In FrankensteinBench, domain-specific jargon and procedural framing are themselves central variables in attack success.

The reported transferability results further define the benchmark’s role in adversarial evaluation. In domain ablation, exploring on any five domains remains within 1,3251{,}3254 percentage points of full-data ASR on the held-out domain. In model transfer, policies learned on small proxy models such as gemma-3-4b-it transfer to larger targets such as gpt-oss-120b with approximately 1,3251{,}3255 ASR. In jailbreak pruning, even using only the bottom-1,3251{,}3256 jailbreaks, bandit attacks maintain at least approximately 1,3251{,}3257 ASR, compared with approximately 1,3251{,}3258 for uniform sampling (Shukla et al., 25 Jun 2026). A plausible implication is that FrankensteinBench exposes not only weaknesses in individual jailbreak defenses, but also structural vulnerabilities in how safety-aligned LLMs respond to adaptively selected prompt wrappers and complexity-enhanced malicious intent.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to FrankensteinBench.