CrescendoDefense: A Multi-Layer Runtime Defense Framework Against LLM Jailbreak Attacks

Introduces the three-layer runtime defense framework CrescendoDefense, developed by Mahek Nishant Vedant (Source: GitHub project crescendo-defense, released on June 4, 2026). This framework targets Crescendo-style multi-turn jailbreak attacks and effectively reduces the attack success rate through three strategies: semantic kinematics detection, strategic context expulsion, and semantic response auditing.

With the widespread application of LLMs, Crescendo-style multi-turn jailbreak attacks have become a new type of threat. Its core is to gradually guide the model to break through security boundaries through multi-turn dialogue, which is difficult to intercept by traditional single-turn review. The attack has four core mechanisms: 1. Memory stacking (spreading malicious intent across multi-turn dialogues); 2. Defense-reducing dialogue (building trust to relax the model's defenses); 3. Semantic drift (gradual topic shift to dangerous domains); 4. Prompt camouflage (packaging malicious instructions as academic/creative scenarios).

CrescendoDefense adopts three complementary strategies:

1. Semantic Kinematics Detector: Monitors dialogue trajectories in real time, identifying attack patterns through four metrics: absolute risk (D), semantic velocity (V), semantic acceleration (A), and cumulative risk (C);
2. Strategic Context Expulsion: When suspicious patterns are detected, selectively removes intermediate content while retaining system prompts, first-round input, previous round input, and latest input to interrupt memory stacking;
3. Semantic Response Auditor: Reviews responses after generation, comparing against unsafe completion patterns (e.g., malware assistance, cyber attack guidance, etc.).

Experimental Setup: Target model Llama-3.2-3B-Instruct, embedding model all-MiniLM-L6-v2, 22 test scenarios (15 adversarial, 5 benign, 2 mixed). Key Results: The original model's attack success rate was 86.67%, which dropped to 26.67% with the full framework (a relative reduction of 69.2%); the combination of the first and second layers had a false positive rate of 0%; the first two layers alone reduced the attack success rate by more than half.

Conclusions: The framework significantly improves the model's resistance to multi-turn jailbreak attacks, is lightweight, and model-agnostic. Application Prospects: Provides a security enhancement solution for developers and opens up new directions for security research (e.g., semantic kinematics detection). Future Directions: Adaptive threshold adjustment, dynamic security anchor generation, improved context retention, integration with existing security frameworks, and larger-scale evaluations.