defense 2026

TwinGate: Stateful Defense against Decompositional Jailbreaks in Untraceable Traffic via Asymmetric Contrastive Learning

Bowen Sun 1, Chaozhuo Li 2, Yaodong Yang 3, Yiwei Wang 4, Chaowei Xiao 1

1 Johns Hopkins University

2 Microsoft Research Asia

3 Peking University

4 University of California, Merced

0 citations
α

Published on arXiv

2604.27861

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Achieves high malicious intent recall at remarkably low false positive rate with negligible latency overhead, executing in parallel with LLM prefill phase

TwinGate

Novel technique introduced

Decompositional jailbreaks pose a critical threat to large language models (LLMs) by allowing adversaries to fragment a malicious objective into a sequence of individually benign queries that collectively reconstruct prohibited content. In real-world deployments, LLMs face a continuous, untraceable stream of fully anonymized and arbitrarily interleaved requests, infiltrated by covertly distributed adversarial queries. Under this rigorous threat model, state-of-the-art defensive strategies exhibit fundamental limitations. In the absence of trustworthy user metadata, they are incapable of tracking global historical contexts, while their deployment of generative models for real-time monitoring introduces computationally prohibitive overhead. To address this, we present TwinGate, a stateful dual-encoder defense framework. TwinGate employs Asymmetric Contrastive Learning (ACL) to cluster semantically disparate but intent-matched malicious fragments in a shared latent space, while a parallel frozen encoder suppresses false positives arising from benign topical overlap. Each request requires only a single lightweight forward pass, enabling the defense to execute in parallel with the target model's prefill phase at negligible latency overhead. To evaluate our approach and advance future research, we construct a comprehensive dataset of over 3.62 million instructions spanning 8,600 distinct malicious intents. Evaluated on this large-scale corpus under a strictly causal protocol, TwinGate achieves high malicious intent recall at a remarkably low false positive rate while remaining highly robust against adaptive attacks. Furthermore, our proposal substantially outperforms stateful and stateless baselines, delivering superior throughput and reduced latency.

Key Contributions

  • TwinGate framework using asymmetric contrastive learning to detect malicious intent across fragmented, anonymized queries in untraceable traffic streams
  • Dual-encoder architecture with frozen encoder to suppress false positives from benign topical overlap while clustering malicious fragments
  • Large-scale evaluation dataset of 3.62M instructions spanning 8,600 malicious intents for decompositional jailbreak research

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
inference_timeblack_box
Datasets
Custom dataset of 3.62M instructions with 8,600 malicious intents
Applications
llm safetyjailbreak detectioncontent moderation
Read PDF arXiv

Similar Papers

defense

Sentra-Guard: A Multilingual Human-AI Framework for Real-Time Defense Against Adversarial LLM Jailbreaks

2025 0 cit.
100%
defense

RedVisor: Reasoning-Aware Prompt Injection Defense via Zero-Copy KV Cache Reuse

2026 0 cit.
100%
defense

Beyond Surface-Level Detection: Towards Cognitive-Driven Defense Against Jailbreak Attacks via Meta-Operations Reasoning

2025 0 cit.
100%
defense

AISA: Awakening Intrinsic Safety Awareness in Large Language Models against Jailbreak Attacks

2026 0 cit.
100%
defense

CoCoTen: Detecting Adversarial Inputs to Large Language Models through Latent Space Features of Contextual Co-occurrence Tensors

2025 0 cit.
100%
defense

Multilingual Safety Alignment Via Sparse Weight Editing

2026 0 cit.
100%
defense

Highlight & Summarize: RAG without the jailbreaks

2025 0 cit.
100%
defense

Stay in Character, Stay Safe: Dual-Cycle Adversarial Self-Evolution for Safety Role-Playing Agents

2026 0 cit.
100%