THRD: A Training-Free Multi-Turn Defense Framework for Jailbreak Attacks on Large Language Models

Researchers have developed THRD, a training-free defense framework that detects multi-turn jailbreak attacks on large language models by tracking how safety risks accumulate across conversation turns. The system achieves 0.2-4.0% attack success rates while maintaining model utility, addressing a critical vulnerability where attackers exploit conversational dynamics rather than single prompts.

Multi-turn jailbreak attacks represent an emerging threat to LLM safety that existing defenses fail to address adequately. Unlike single-prompt attacks, these exploits gradually escalate requests across multiple conversation turns, leveraging dialogue history to manipulate model behavior. The THRD framework fills this gap by introducing temporal risk modeling—a paradigm shift from analyzing each turn independently to tracking how safety threats accumulate across interaction trajectories.

The technical innovation lies in THRD's four-module architecture: a Turn-level Risk Assessor evaluates immediate threat levels, a Historical Context Analyzer detects escalation patterns, a Response Evaluator identifies outputs that facilitate jailbreaks, and a Decision Module synthesizes these signals through time-evolving scoring. Critically, the framework requires no retraining, avoiding the model degradation that plagues other defenses. Field analysis shows over 70% of attacks succeed only after turn two, validating the necessity of temporal aggregation rather than snapshot evaluation.

For the AI industry, this research has substantial implications. LLM providers face mounting pressure to ensure conversational safety without sacrificing performance—a tension THRD largely resolves through its training-free approach. The framework's cross-architecture generalization suggests broad applicability across different models. However, the research also highlights an arms race: sophisticated attackers continue developing novel exploitation strategies, requiring ongoing defensive innovation. Organizations deploying conversational AI systems should consider implementing trajectory-aware monitoring rather than turn-by-turn filtering. The paper's emphasis on temporal dynamics may influence future safety standards and deployment protocols.

• →THRD achieves 0.2-4.0% attack success rates on multi-turn jailbreaks while preserving model utility with minimal degradation
• →The framework models temporal risk accumulation across conversation turns rather than evaluating each turn in isolation
• →Over 70% of multi-turn attacks require turn two or later to succeed, validating explicit temporal aggregation approaches
• →Training-free design enables deployment without retraining existing models or degrading their general capabilities
• →Cross-architecture generalization suggests the framework applies broadly across different LLM architectures