G-Guard: Graph-Based Jailbreak Detector
- G-Guard is a graph-based input defender that uses attention-aware GNNs to analyze multi-turn conversation graphs and detect harmful jailbreak queries in LLM systems.
- It constructs a global multi-turn graph by merging entity, query nodes, and semantically similar labeled examples to leverage the full dialogue context.
- The model employs subgraph selection and retrieval augmentation to maintain scalability and bolster detection precision even in prolonged conversations.
G-Guard is an attention-aware GNN-based input defender for multi-turn jailbreak detection in LLM systems. It is designed to classify whether the current user query in a multi-turn conversation is harmful by using the current turn together with prior dialogue context, rather than treating each prompt in isolation. Its defining components are a multi-turn entity/query graph, an attention-aware augmentation mechanism that retrieves a semantically similar labeled single-turn query, and a subgraph selection mechanism for long conversations (Huang et al., 9 Jul 2025).
1. Definition and scope
G-Guard addresses multi-turn jailbreak attacks, in which harmful intent is distributed across several turns and may not be explicit in the current query alone. The method is positioned as an input defender inserted before the protected LLM: it consumes the current query plus prior user queries, constructs a graph representation of the conversation, and predicts whether the current query is harmful or benign. If harmful, the query can be blocked before reaching the target model (Huang et al., 9 Jul 2025).
The method is not a general-purpose graph defense, a graph anomaly detector, or a training-data misuse detector. Its scope is specifically multi-turn jailbreak detection for LLMs. The paper emphasizes that this differs from single-turn moderation because multi-turn attacks can gradually escalate the dialogue, with harmful keywords or intent appearing only in earlier turns, while the final turn remains ambiguous in isolation. This suggests that G-Guard is best understood as a context-sensitive safety classifier rather than as a generic moderation model.
2. Threat model and task formulation
The defender assumes access to the full conversation history of user queries up to the current turn and can run auxiliary NLP modules such as entity extraction, embedding models, retrieval, and a GNN classifier. The attacker is assumed to interact over multiple turns and to use semantically related but individually benign-looking steps. The evaluation uses multi-turn prompts generated via ActorAttack, reflecting staged jailbreak conversations rather than isolated harmful prompts (Huang et al., 9 Jul 2025).
At inference time, the system takes a sequence of user queries , where is the current query to classify. The objective is binary classification of the current Query Node as harmful or benign. The paper’s motivation is that existing safeguards and prompt classifiers often miss attacks in which harmfulness emerges from inter-turn dependencies rather than lexical cues in the last message.
A core architectural claim is that harmful cues may reside only in previous turns. G-Guard therefore treats the conversation as a structured object rather than a flattened string. This framing is central to the method’s use of graph construction and message passing.
3. Multi-turn graph construction and retrieval augmentation
For each query, G-Guard uses GraphRAG to extract entities and relationships. The resulting entity graph has nodes and edges . Entity and relation text are embedded with SentenceTransformer, for example
A Query Node representing the full query text is then added and connected to the relevant entity nodes. Graphs from individual turns are merged into a global multi-turn graph: This graph contains Query Nodes, Entity Nodes, entity-entity relation edges, and query-entity links (Huang et al., 9 Jul 2025).
The second major mechanism is attention-aware augmentation. A database of short labeled single-turn queries is constructed from HarmBench, JailbreakBench, and GPT-4o-generated examples. Given query embeddings , a sentence-level attention layer forms an aggregated conversation representation
The system then retrieves the most similar labeled single-turn query by cosine similarity: 0 The retrieved example is inserted into the graph as a labeled node whose text begins with either “It is harmful ...” or “It is benign ...”, and it is connected to the current Query Node with an edge weighted by the similarity score (Huang et al., 9 Jul 2025).
This retrieved node acts as a graph-level memory of known harmful or benign patterns. In the paper’s formulation, it is not a standalone nearest-neighbor decision rule; it is a support node whose information is propagated through the graph along with historical entities and query nodes.
4. GNN classifier and scalability mechanism
The graph is processed with a Graph Convolutional Network. The paper explicitly states that G-Guard adopts a GCN from Kipf and Welling, using the global graph to classify whether the current Query Node is harmful. Entity descriptions, relation descriptions, query texts, and the retrieved labeled example provide the node and relation semantics. The model uses the final representation of the current Query Node for binary harmful/benign prediction (Huang et al., 9 Jul 2025).
The paper does not report an explicit classification loss equation, optimizer type, learning rate, batch size, training epochs, or regularization. It also does not present the standard GCN layer equations. This under-specification is a notable property of the work: the conceptual architecture is clear, but the full training recipe is not given.
As conversations grow, the graph can become large. G-Guard therefore includes subgraph selection. When the number of nodes exceeds a threshold, the method keeps nodes primarily connected to Query Nodes with the highest attention scores and can discard nodes tied only to low-attention historical queries. The reported effect is that, without graph selection, speed degrades as graph size increases, whereas with graph selection, speed remains stable even beyond 500 queries, with only a small drop in accuracy (Huang et al., 9 Jul 2025).
5. Empirical evaluation
The evaluation uses HarmBench, JailbreakBench, and a ChatGPT-4o-generated dataset. HarmBench and JailbreakBench contribute 400 simple jailbreak questions total, consisting of 100 benign and 300 harmful, which are expanded into 1515 multi-turn harmful and benign questions for testing. The ChatGPT-4o dataset includes 600 single-turn questions, 300 benign and 300 harmful, expanded into 3000 multi-turn questions. Multi-turn prompts are generated with ActorAttack (Huang et al., 9 Jul 2025).
The baselines are ChatGPT-4o native safety defenses, Llama Guard 3 8B, WildGuard, and an ablation, G-Guard w/o Aug. The paper evaluates Accuracy, Precision, and Recall. The main reported results are as follows. On HarmBench, G-Guard achieves accuracy 1, precision 2, and recall 3. On JailbreakBench, it achieves accuracy 4, precision 5, and recall 6. On the ChatGPT-generated dataset, it achieves accuracy 7, precision 8, and recall 9 (Huang et al., 9 Jul 2025).
The baselines perform markedly worse, especially in recall. For example, on HarmBench, ChatGPT-4o reports accuracy 0, precision 1, and recall 2; Llama Guard reports 3, 4, and 5; WildGuard reports 6, 7, and 8. On JailbreakBench, G-Guard improves over G-Guard w/o Aug. from accuracy 9 to 0, precision 1 to 2, and recall 3 to 4. On the ChatGPT-generated dataset, augmentation raises accuracy from 5 to 6 and recall from 7 to 8 (Huang et al., 9 Jul 2025).
The paper also reports robustness to longer conversations. As conversation length increases from 5 to 10 turns, recall drops slightly, but accuracy and precision remain high. This suggests that the graph representation retains enough cross-turn context even when harmful intent is distributed across a longer interaction.
6. Interpretation, limitations, and relation to guardrail design
The method’s main technical significance lies in its explicit modeling of cross-turn structure. Queries become nodes, entities become nodes, semantic relations become edges, and a retrieved labeled example becomes an additional support node. This allows harmful cues introduced in earlier turns to influence the classification of the current query. The augmentation results indicate that retrieval contributes substantially to generalization, particularly on JailbreakBench and the ChatGPT-generated benchmark (Huang et al., 9 Jul 2025).
The paper identifies two major limitations. First, there is a scalability trade-off: even with subgraph selection, very long or complex conversations may require aggressive pruning, which can discard low-attention but still relevant context. Second, generalization to novel attacks remains constrained by the available attack data and the static retrieval corpus. The authors note that unforeseen prompt injection tricks, new linguistic styles, novel decomposition patterns, and zero-day jailbreak strategies may not be captured well. Additional practical assumptions are that entity and relation extraction are reliable, full conversation history is available, and harmfulness can be judged from the query context alone (Huang et al., 9 Jul 2025).
A plausible implication is that G-Guard occupies a different part of the safety stack from response-side guard models. Work on output-guard pipelines shows that separate moderation models can themselves be attacked through propagated universal prefixes, particularly when they consume unconstrained model outputs (Mangaokar et al., 2024). G-Guard instead filters at the input side, before generation. This does not establish immunity to adaptive attack, but it places the defense on a different threat surface.
In the arXiv literature, G-Guard therefore denotes a pre-generation, graph-structured, context-aware jailbreak detector for multi-turn dialogue. Its distinctive contribution is not a larger moderator or a stronger single-turn classifier, but a graph formulation of conversational harmfulness in which history, entity relations, and retrieval-based labeled support are jointly used to classify the current query.