{"id":"https://openalex.org/W7084752228","doi":"https://doi.org/10.48550/arxiv.2510.02833","title":"Attack via Overfitting: 10-shot Benign Fine-tuning to Jailbreak LLMs","display_name":"Attack via Overfitting: 10-shot Benign Fine-tuning to Jailbreak LLMs","publication_year":2025,"publication_date":"2025-10-03","ids":{"openalex":"https://openalex.org/W7084752228","doi":"https://doi.org/10.48550/arxiv.2510.02833"},"language":"en","primary_location":{"id":"doi:10.48550/arxiv.2510.02833","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2510.02833","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2510.02833","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Xie, Zhixin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xie, Zhixin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Song, Xurui","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Xurui","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":null,"display_name":"Luo, Jun","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luo, Jun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T14240","display_name":"E-Learning and COVID-19","score":0.034699998795986176,"subfield":{"id":"https://openalex.org/subfields/3304","display_name":"Education"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T14240","display_name":"E-Learning and COVID-19","score":0.034699998795986176,"subfield":{"id":"https://openalex.org/subfields/3304","display_name":"Education"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T14182","display_name":"Technology-Enhanced Education Studies","score":0.030400000512599945,"subfield":{"id":"https://openalex.org/subfields/3304","display_name":"Education"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10162","display_name":"Online and Blended Learning","score":0.026799999177455902,"subfield":{"id":"https://openalex.org/subfields/3304","display_name":"Education"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/overfitting","display_name":"Overfitting","score":0.5871000289916992},{"id":"https://openalex.org/keywords/moderation","display_name":"Moderation","score":0.5601999759674072},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.5126000046730042},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.43050000071525574},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4099000096321106},{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.37610000371932983}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6294000148773193},{"id":"https://openalex.org/C22019652","wikidata":"https://www.wikidata.org/wiki/Q331309","display_name":"Overfitting","level":3,"score":0.5871000289916992},{"id":"https://openalex.org/C93225998","wikidata":"https://www.wikidata.org/wiki/Q1941972","display_name":"Moderation","level":2,"score":0.5601999759674072},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.5126000046730042},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.4740000069141388},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.43050000071525574},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4099000096321106},{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.37610000371932983},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.3668999969959259},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.3560999929904938},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3456999957561493},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.3337000012397766},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.328900009393692},{"id":"https://openalex.org/C3017944768","wikidata":"https://www.wikidata.org/wiki/Q1450463","display_name":"Poison control","level":2,"score":0.2554999887943268}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2510.02833","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2510.02833","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2510.02833","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2510.02833","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.8135235905647278}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Despite":[0],"substantial":[1],"efforts":[2],"in":[3,184,198],"safety":[4,28],"alignment,":[5],"recent":[6,43],"research":[7],"indicates":[8,45],"that":[9,25,46,85,178],"Large":[10],"Language":[11],"Models":[12],"(LLMs)":[13],"remain":[14],"highly":[15],"susceptible":[16],"to":[17,35,59,106,144],"jailbreak":[18,38],"attacks.":[19],"Among":[20],"these":[21],"attacks,":[22],"finetuning-based":[23],"ones":[24],"compromise":[26],"LLMs'":[27,209],"alignment":[29],"via":[30,121],"fine-tuning":[31,47,69,91,107,114,122,132],"stand":[32],"out":[33],"due":[34],"its":[36],"stable":[37],"performance.":[39],"In":[40,80],"particular,":[41],"a":[42,159,203],"study":[44],"with":[48,92,117,123,136,172,214],"as":[49,51],"few":[50],"10":[52,94],"harmful":[53,64],"question-answer":[54],"(QA)":[55],"pairs":[56,126],"can":[57,87],"lead":[58],"successful":[60],"jailbreaking":[61],"across":[62],"various":[63],"questions.":[65],"However,":[66],"such":[67],"malicious":[68],"attacks":[70],"are":[71],"readily":[72],"detectable":[73],"and":[74,149,169,188,201],"hence":[75],"thwarted":[76],"by":[77,90],"moderation":[78],"models.":[79],"this":[81],"paper,":[82],"we":[83],"demonstrate":[84,177],"LLMs":[86,105,168,200],"be":[88],"jailbroken":[89],"only":[93],"benign":[95,124,138,215],"QA":[96,125],"pairs;":[97],"our":[98,113,163,179],"attack":[99,164,186,189],"exploits":[100],"the":[101,141,146,156,166],"increased":[102],"sensitivity":[103],"of":[104,155,158],"data":[108],"after":[109],"being":[110],"overfitted.":[111],"Specifically,":[112],"process":[115],"starts":[116],"overfitting":[118],"an":[119],"LLM":[120,143],"involving":[127],"identical":[128],"refusal":[129,147],"answers.":[130],"Further":[131],"is":[133,211,219],"then":[134],"performed":[135],"standard":[137],"answers,":[139],"causing":[140],"overfitted":[142],"forget":[145],"attitude":[148],"thus":[150],"provide":[151,202],"compliant":[152],"answers":[153],"regardless":[154],"harmfulness":[157],"question.":[160],"We":[161],"implement":[162],"on":[165,206],"ten":[167],"compare":[170],"it":[171],"five":[173],"existing":[174],"baselines.":[175],"Experiments":[176],"method":[180],"achieves":[181],"significant":[182],"advantages":[183],"both":[185],"effectiveness":[187],"stealth.":[190],"Our":[191,217],"findings":[192],"expose":[193],"previously":[194],"unreported":[195],"security":[196,210],"vulnerabilities":[197],"current":[199],"new":[204],"perspective":[205],"understanding":[207],"how":[208],"compromised,":[212],"even":[213],"fine-tuning.":[216],"code":[218],"available":[220],"at":[221],"https://github.com/ZHIXINXIE/tenBenign.":[222]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}