Semantic-Driven Contextual Multi-Turn Attacks

Updated 13 March 2026

Semantic-driven contextual multi-turn attacks are adversarial strategies that use a series of interconnected dialogue turns to covertly steer LLMs towards harmful outputs.
They employ techniques such as sequential semantic progression, pattern-guided prompts, and intent–context coupling to circumvent static safety filters.
Empirical evaluations reveal high attack success rates (e.g., ICON nearing 97–100% ASR) despite low query costs, highlighting significant vulnerabilities in current models.

Semantic-driven contextual multi-turn attacks are a class of adversarial strategies against LLMs that exploit the model’s sequence-processing and contextual integration mechanisms. In these attacks, semantic intent is distributed, obfuscated, or gradually constructed across multiple conversational turns. Rather than issuing an explicit harmful query, the attacker crafts a series of semantically interconnected or contextually blended prompts—each individually benign, yet collectively steering the model to produce prohibited, harmful, or policy-violating outputs. Such attacks pose acute challenges for current safety alignment protocols, as single-turn filters or static guardrails are unable to detect the evolving, concealed intent revealed only across dialogue history.

1. Formal Foundations and Attack Taxonomy

Semantic-driven contextual multi-turn attacks generalize the classical notion of “jailbreaking” LLMs beyond single-turn adversarial prompts. The defining characteristic is that an attacker issues a sequence of user queries $\mathcal{T} = \{u_1, \dots, u_m\}$ , intending to elicit a response $r_t$ that fulfills a target harmful objective $\mathcal{O}$ only when the dialogue context $\mathcal{H}_{t-1}$ is sufficiently primed. The fulfillment is often evaluated via a semantic similarity function $\mathcal{E}(\mathcal{O}, r_t)$ , e.g., cosine similarity over embeddings (Nihal et al., 9 Oct 2025), and attack success is declared if: $\max_{1 \le t \le m} \mathcal{E}(\mathcal{O}, r_t) > \tau,$ for some threshold $\tau$ .

The taxonomy of these attacks includes:

Sequential Semantic Progression: Each user turn increases semantic proximity to the objective; examples include Next/Regen/Back/End walk strategies as in Chain of Attack (CoA) (Yang et al., 2024).
Pattern-Guided: Attacks may deliberately follow technical-educational, personal experience, scenario-based, informational, or problem-solving patterns, each exploiting a distinct LLM conversational weakness (Nihal et al., 9 Oct 2025).
Intent–Context Coupling: Specific malicious intents are embedded within congruent, authoritative-styled context patterns for maximal safety relaxation (ICON) (Lin et al., 28 Jan 2026).
Distributional Shifts: Adversaries generate multi-turn queries that induce a natural distribution shift from overtly toxic prompts to semantically obfuscated but functionally equivalent variants (ActorAttack) (Ren et al., 2024).
Psychological Manipulation: The “foot-in-the-door” (FITD) paradigm incrementally escalates benign requests into illicit or harmful goals (Kumarappan et al., 24 Nov 2025).
Long-Range Contextual Backdoors: Triggers distributed over user turns activate hidden behavior when sufficiently many are present (Tong et al., 2024).
Turn Amplification: Rather than seeking a harmful output, the intent is to prolong the conversation indefinitely by semantically steering the model into persistent clarification-seeking (Coalson et al., 19 Feb 2026).

2. Attack Methodologies and Core Mechanisms

Contemporary frameworks for semantic-driven multi-turn attacks integrate both hand-crafted patterns and learning-based optimization:

CoA (Chain of Attack): Decomposes a harmful instruction into multiple “stepping stone” sub-prompts, iteratively updating each based on semantic progress toward the final objective. A contrastive encoder (e.g., SIMCSE) measures alignment at every turn, and policy feedback determines whether to advance, regenerate, or revert prompts (Yang et al., 2024).
PE-CoA (Pattern-Enhanced CoA): Expands CoA’s semantic progression by optimizing both semantic similarity and pattern conformance, employing five conversation archetypes (technical, experiential, hypothetical, informational, problem-solving) (Nihal et al., 9 Oct 2025).
ICON (Intent-Context Coupling): Routes each attack intent to a context pattern empirically shown to relax LLM safety constraints, then instantiates prompt sequences accordingly. Hierarchical optimization alternates between local prompt refinement and global context switching, efficiently escaping ineffective configurations (Lin et al., 28 Jan 2026).
MUSE-A (Frame-Semantic Guided Attack): Uses frame semantics to structure multi-turn attack trajectories, with actions corresponding to intra-frame expansions, inter-frame decompositions, and perspective redirections. A Monte-Carlo Tree Search (MCTS) explores diverse, high-reward semantic paths (Yan et al., 18 Sep 2025).
SEMA: Trains a multi-turn attacker with intent-drift-aware reward, combining alignment, compliance risk, and detail, while using open-loop generation to control exploration complexity (Feng et al., 6 Feb 2026).
Psychological Templates (FITD): Operationalizes social engineering paradigms into reproducible, automated multi-turn jailbreak scenarios, escalating innocuous dialogue into prohibited requests (Kumarappan et al., 24 Nov 2025).
Learning-Based Approaches (Siren): Constructs training sets with turn-level feedback, supervised fine-tuning, and preference optimization to learn highly effective multi-turn attack strategies against various LLMs (Zhao et al., 24 Jan 2025).

A distinctive mechanism across these frameworks is the use of semantic feedback—e.g., by calculating the semantic similarity between each intermediate response and the attack target—to adaptively steer the conversation.

3. Empirical Evaluation, Model Vulnerabilities, and Comparative Results

Evaluation of multi-turn semantic attacks centers on the attack success rate (ASR), commonly defined as the fraction of attacks where the model outputs a response judged as unsafe or harmful: $\mathrm{ASR} = \frac{1}{N}\sum_{i=1}^N \mathbb{1}\{ J(r_t^{(i)}, \mathcal{O}_i) = 1 \}.$ Robust empirical protocols utilize LLM-based judges (e.g., GPT-3.5-turbo, GPT-4o) with standardized safety criteria (Nihal et al., 9 Oct 2025, Yan et al., 18 Sep 2025).

Key quantitative findings include:

Attack / Model	Llama-3-8B	GPT-4o	Claude-3.5	Gemini Pro	Qwen2.5
ActorAttack	7–10%	8%	1%	–	41%
CoA	5–7%	4%	1%	–	13%
MUSE-A	24–32%	16%	2%	–	69%
ICON	97%	99%	97%	92.5%	100%
Siren (Mistral→GPT-4o)	–	70%	24%	88%	81.9%
SEMA (Llama-3.1 as attacker, AdvBench ASR@1)	77.2%	83.3%	–	–	80.1%

ICON achieves state-of-the-art average ASR (97.1%) with very low query cost and remarkable cross-model transferability (Lin et al., 28 Jan 2026). Template-based FITD attacks boost GPT-4o Mini’s ASR from 44.35% (single-turn) to 65.45% (multi-turn), a ΔASR of +21.1pp, highlighting context priming vulnerabilities (Kumarappan et al., 24 Nov 2025).

Model family susceptibility varies: GPT series exhibit pronounced contextual priming, while Gemini and Claude models implement strong pre-generation blocking or pedagogical refusals, yielding near-zero ASRs under standard attack regimes (Kumarappan et al., 24 Nov 2025).

4. Theoretical Advances: Semantic Drift, Intent Coupling, and Pattern Awareness

Recent research elucidates why semantic-driven contextual attacks systematically bypass static LLM guardrails:

Semantic Drift: Attackers engineer each turn to induce a minor shift in the model’s internal context embedding, accumulating over T turns to prime for policy violation. Quantified as $\Delta_s(t)=\lVert z_t - z_{t-1} \rVert$ with embeddings $z_t$ (Kulkarni et al., 18 Mar 2025).
Cross-Turn Intention Hiding: Malicious intent is camouflaged behind academic, hypothetical, or narrative contexts until the final turn, preventing single-turn detectors from flagging the sequence (Nihal et al., 9 Oct 2025).
Intent–Context Coupling: Specific malignant intents are empirically much more likely to succeed in select context types (e.g., scientific or journalistic frames), revealing non-uniform relaxation of safety boundaries (Lin et al., 28 Jan 2026).
Pattern-Specific Weaknesses: Robustness to one conversational pattern does not generalize; LLM families inherit “behavioral signatures” or “vulnerability vectors” based on pretraining and alignment curricula (Nihal et al., 9 Oct 2025).

5. Defense Frameworks Targeting Semantic Multi-Turn Attacks

Countermeasures increasingly model the dialogue as a dynamic system, tracking cumulative context and intent signals:

Temporal Context Awareness (TCA): Computes embeddings for each cumulative context, monitors semantic drift, and scores cross-turn intention consistency. Elevates risk scores upon detecting significant semantic change, enabling early warnings or conversation blocks (Kulkarni et al., 18 Mar 2025).
Neural Barrier Function (NBF): Implements forward-invariant safety steering by learning a barrier over latent conversation states. At each turn, candidate queries are filtered based on predicted worst-case unsafety, guarding against context-driven jailbreaks and guaranteeing robust, step-wise control (Hu et al., 28 Feb 2025).
Pattern-Aware Filters: Real-time classifiers can monitor pattern archetypes and trigger policy escalation if a high-risk conversational footprint is detected (Nihal et al., 9 Oct 2025).
Decayed Contrastive Decoding: At generation time, penalizes response tokens when final-layer predictions diverge sharply (as expected in multi-turn triggered backdoors) from earlier-layer semantics; this method reduces ASR to 0.35% even for 5%-poisoned models, preserving generation quality (Tong et al., 2024).

6. Model Vulnerabilities, Transferability, and Implications

Semantic-driven, multi-turn attacks expose latent LLM vulnerabilities that static prompt-based gatekeepers cannot capture. Empirical studies find:

Transferability: Attack chains constructed for one model or architecture often retain high ASR (up to 60%) when replayed unmodified against others (Yang et al., 2024).
Combinatorial Expansion: Pattern and context space for attacks is vast (e.g., PE-CoA: 10 harm categories × 5 patterns = 50 axes), resulting in a challenging detection landscape (Nihal et al., 9 Oct 2025).
Contextual “Blind Spots”: Benign-appearing conversational escalation, role-play, academic or investigative framing (as in ICON), and indirect inquires systematically evade filters that rely on per-turn static moderation (Zhao et al., 24 Jan 2025, Lin et al., 28 Jan 2026).
Amplification Attacks: Semantic steering can inflate the number of turns required to get a response, imposing operational costs—this attack mode is independent of safety/risk but exploits context-following behavior (Coalson et al., 19 Feb 2026).

7. Open Challenges and Future Directions

Despite substantial progress, open research directions include:

Adaptive and Content-Pattern Hybrid Defenses: Integrating semantics, dialogue dynamics, and conversational pattern detection at run-time to preemptively block or escalate suspicious multi-turn chains (Nihal et al., 9 Oct 2025).
Adversarial Training with Naturalistic Multi-Turn Chains: Injecting realistic, pattern-rich, and escalating adversarial dialogues into RLHF/fine-tuning cycles to harden future models (Feng et al., 6 Feb 2026).
Real-Time Escalation and Attack Chain Detection: Building deployable systems capable of early detection and interruption of unfolding semantic-driven attacks, minimizing risk without sacrificing user utility.
Model and Architecture Diversity: Regularly testing and aligning new architectures, as shared training artifacts propagate signature vulnerabilities across entire model families (Nihal et al., 9 Oct 2025).

Research consistently demonstrates that semantic-driven contextual multi-turn attacks are a central, evolving threat vector for LLM safety, demanding context-aware, adaptive, and pattern-diverse defenses. Their prevalence in red-teaming benchmarks and high empirical success rates against state-of-the-art LLMs highlight both the urgency of developing robust countermeasures and the need for ongoing, cross-disciplinary study.