CrescendoGuard: An LLM Security Defense Framework Against Multi-Turn Jailbreak Attacks

CrescendoGuard is a reproducible defense framework against Crescendo-style multi-turn dialogue jailbreak attacks, protecting LLMs through a multi-layer mitigation pipeline and cumulative risk scoring mechanism. Built on Llama 3.2 3B Instruct, the framework supports a DryRun simulator (for reproducible benchmarking) and real model clients. It is open-source and reproducible, providing a defense approach of "full dialogue trajectory monitoring" for AI security.

Crescendo attack is a progressive jailbreak technique that leverages the context memory capability of LLMs. It gradually builds a narrative foundation through multiple rounds of seemingly harmless dialogues, accumulating towards harmful content. It bypasses traditional keyword filtering and single-turn security detection, making it a significant threat to LLM security.

The core architecture of CrescendoGuard includes:

1. Risk Detection Layer: Multi-dimensional scanning (hazard category identification, behavior signal detection, memory stacking check, semantic drift monitoring, security research discount) to calculate cumulative risk scores (exponentially decaying weights);
2. Layered Mitigation Pipeline: RollingRiskGate (pre-interception/rewriting), ContextQuarantine (context isolation), PostResponseVerifier (output verification);
3. Dual-Mode Models: DryRunLlamaModel (deterministic simulator), HuggingFaceLlamaClient (production deployment).

Key innovations of the framework:

• Cumulative Risk Calculation: Uses an exponentially decaying weighting algorithm (cumulative_risk = Σ(risk_i × decay^(current_turn - turn_i)) to balance recent and historical risks;
• Deterministic Benchmarking: DryRun simulator ensures consistent test results, facilitating academic reproducibility;
• Modular Configuration: Customize thresholds, weights, and other rules via JSON files without modifying code.

Application scenarios of CrescendoGuard include:

1. Security protection for enterprise-level LLM API services;
2. Risk control for internal AI assistants in organizations;
3. Reproducible testing environment for AI security research;
4. Educational tool to help developers understand multi-turn attack defense.

Current limitations of the framework:

• Based on Llama 3.2 3B; thresholds may need adjustment for large-scale models;
• Regex detection may miss novel attack variants. Future directions: Integrate semantic similarity models to improve detection generalization.

CrescendoGuard represents the shift of LLM security defense from single-turn detection to full dialogue trajectory monitoring. Its open-source and reproducible nature provides a valuable research foundation for the AI security community. As conversational AI becomes more complex, this "holistic perspective" defense approach will become increasingly important.