Persona Attack: Incremental Memory Injection Jailbreak Attack against Large Language Models

Applications, bias, and safety2026arXivApproved editorial review

Authors: Junyoung Park, Seongyong Ju, Sunghwan Park, Jaewoo Lee

Keywords: Persona conditioning, Safety and bias

Source: Open primary source (opens in a new tab)

4
Authors
9
Findings
18
Limitations
5
Evidence

Editorial summary

English

Persona Attack is a security preprint proposing a four-message jailbreak framed as response simulation. It does not assess personality traits or establish a persistent psychological persona. The target is asked to predict another LLM's response, organize possible outputs into four failure/success categories, provide complete unmasked content, and apply that scheme to a harmful query. The paper is arXiv:2606.00150v1, submitted 29 May 2026 under CC BY 4.0. The audit visually inspected all twenty-one pages plus complete text and TeX. Once concatenates all four instructions into one input; Sequential 1 sends them across four turns. Manual memory prepends prior user and assistant messages to each new query, while state-based memory relies on the Responses API or LangChain to carry history. Main testbeds are GPT-4o via Responses API and Llama-3.2-3B-Instruct via LangChain. Appendices identify gpt-4o-2024-11-20 but omit the Llama revision, decoding settings, hardware, dates, retries, and LangChain memory class. The main set contains sixty harmful questions in six ten-item themes. Provenance conflicts: the method says they were selected from AdvBench, while the appendix says forty come from eight scenarios in another work and some AdvBench items were added. The exact list is unavailable. ASR counts any response without negative refusal. FAR means Fully Attack Success Rate, not false-acceptance rate, and additionally requires complete instruction following and detailed harmful content. On sixty GPT-4o state-based prompts, Table 1 reports Once at 75.0% ASR and 63.3% FAR versus Sequential 1 at 95.0% (57/60) and 88.3% (53/60). GPT-4o Sequential is 88.33/83.33 under manual history and 95/88.33 state-based. For Llama, Once is 20% ASR in both modes; Sequential falls to 5% manual and rises to 35% state-based. A 520-prompt GPT-4o AdvBench appendix extracts the fourth candidate answer and declares failure only when rejection phrases are present, yielding 440/520 or 84.61%. It calls this FAR even though complete detailed compliance is not checked. The number is a non-refusal heuristic resembling ASR, not validated FAR. The central behavioral effect is relevant but the mechanism is over-attributed. Sequential differs from Once through role boundaries, three intermediate model outputs, greater realized context, and provider scaffolding, not memory alone. Manual and state-based modes serialize history differently. Responses API and LangChain supply conversational context; the study does not observe an internal memory state or safety weights. It supports that multi-turn structure and history representation change outputs, not that internal memory reweights or disables alignment. Combination selection also biases the maximum. The authors explicitly test only configurations judged likely to yield high ASR and highlight the best on the same sixty prompts, with no development/test split or held-out validation. Each rate uses one generation per question, with no repeated runs, intervals, or paired tests. Manual scoring does not report raters, blinding, rubric application, agreement, or adjudication. ASR can count a partial, irrelevant, or meta-level answer if it lacks refusal. The attack prompt itself asks the model to generate four labeled candidate cases, blurring generated attack output and evaluation label. The 520-item rejection phrase filter has no human validation or error analysis. Internal contradictions remain: Table 1 gives Once as 75.0% (45/60), while Appendix Table 4 gives 44/60=73.3% for the same GPT-4o composition. Main results name Additional 1 and Additional 2, but the appendix defines only Additional 3-6 and Sequential 2. Comparisons against GCG, Jailbroken, and Parameters omit prompts, tuning, budgets, and per-item outcomes; GCG cannot be optimized on black-box GPT-4o. Zero results for two baselines do not prove superiority over comparably tuned modern attacks. Real-world trials use ChatGPT-4o in the desktop app and Claude 3.7 Sonnet and Grok 3 Beta through Perplexity Pro. Perplexity introduces routing, system prompts, moderation, and mutable aliases, so these are not first-party service tests. Trials are manual and unversioned. The ChatGPT share still returned HTTP 200; both Perplexity links returned 403. The attack was not reproduced. The promised `CAU-CPSS/SLM_sec` repository returns 404 and no replacement exists in the organization. The arXiv package contains manuscript and figures but no datasets, outputs, labels, API code, or notebooks, so no result can be recomputed. The paper includes a content warning and watermarks examples, yet publishes actionable attack prompts and harmful-output links without a responsible-disclosure timeline, provider coordination, abuse analysis, access control, or tested defense. The defensible contribution is that the same simulation strategy produced more non-refusals and detailed harmful responses when distributed across turns with transcript retention in specific model snapshots, and that context-delivery implementation matters. It does not establish a persistent persona, an internal memory mechanism, mechanistic disabling of alignment, 84.61% full harmful compliance, generalization to current services, or reproducible superiority over modern baselines.

Español

Persona Attack es un preprint de seguridad que propone un jailbreak de cuatro mensajes basado en framing de simulación. No evalúa rasgos de personalidad ni crea una persona psicológica persistente: pide al modelo que prediga cómo respondería otro LLM, que organice posibles respuestas en cuatro categorías de fracaso/éxito, que produzca contenido completo sin enmascarar y, finalmente, que aplique ese esquema a una pregunta dañina. El trabajo está en arXiv:2606.00150v1, enviado el 29 de mayo de 2026 bajo CC BY 4.0. La auditoría revisó visualmente sus 21 páginas, el texto y el TeX completos. Los autores comparan Once, que concatena las cuatro instrucciones en una sola entrada, con Sequential 1, que las envía en cuatro turnos. También distinguen manual memory, donde cada nueva consulta vuelve a incluir la transcripción previa de usuario y asistente, y state-based memory, donde Responses API o LangChain conservan el historial. Los bancos principales son GPT‑4o mediante Responses API y Llama‑3.2‑3B‑Instruct mediante LangChain. Los apéndices identifican GPT como gpt‑4o‑2024‑11‑20; no fijan la revisión Llama, configuración de muestreo, hardware, fechas, retries ni clase de memoria LangChain. El conjunto principal contiene 60 preguntas dañinas en seis temas de diez ítems: contenido dañino, adulto, actividad ilegal, desinformación/fraude, prejuicio/privacidad y actividad sin licencia. La procedencia no es coherente: el método dice que se seleccionan de AdvBench, mientras el apéndice dice que 40 vienen de ocho escenarios de otro trabajo y se añaden algunos ítems AdvBench. No se publica la lista ni el mapeo. ASR cuenta como éxito cualquier respuesta sin rechazo negativo. FAR significa Fully Attack Success Rate, no false acceptance rate, y exige además obediencia completa a las instrucciones y una respuesta dañina detallada. En 60 prompts con GPT‑4o state-based, la Tabla 1 informa Once ASR 75,0% y FAR 63,3%, frente a Sequential 1 ASR 95,0%, 57 de 60, y FAR 88,3%, 53 de 60. En manual memory, Sequential 1 obtiene 88,33%/83,33%, mientras en state-based llega a 95%/88,33%. Para Llama, Once es 20% ASR en ambos modos; Sequential 1 cae a 5% manual y sube a 35% state-based. Los autores interpretan estas diferencias como evidencia de que el historial incremental hace que las instrucciones del usuario dominen la seguridad. La comparación por tema reporta ASR 90% en contenido dañino, adulto e ilegal y 100% en las otras tres categorías; FAR va de 70% a 100%. Un apéndice adicional ejecuta 520 prompts AdvBench sobre GPT‑4o: extrae la cuarta respuesta candidata y considera fallo solo si detecta frases de rechazo. Clasifica 440/520 como éxito, 84,61%. Sin embargo, lo llama FAR pese a que ya no verifica el requisito definitorio de cumplimiento completo y detalle dañino. Esa cifra es una heurística de no-rechazo parecida a ASR, no FAR validado. El efecto central es relevante pero su mecanismo está sobreatribuido. Sequential y Once no difieren solo en memoria: Sequential introduce fronteras de rol, tres respuestas intermedias del modelo, más contexto realizado y scaffolding distinto del proveedor. Manual y state-based también serializan la conversación de manera diferente. Responses API y LangChain entregan historial a la generación; el estudio no observa un estado interno ni pesos de seguridad. La ecuación de actualización de memoria es conceptual. Los resultados sostienen que la estructura multivuelta y la representación del historial cambian el comportamiento, no que se haya demostrado que una memoria interna repondera o desactiva la alineación. La selección de combinaciones también sesga el máximo: los autores dicen explícitamente que solo probaron configuraciones que juzgaban probables de alto ASR y destacan las mejores sobre los mismos 60 prompts. No hay split de desarrollo/prueba o validación held-out. El 95% es un resultado seleccionado sobre el benchmark y puede incluir winner's curse. Cada tasa procede de una sola generación por pregunta, sin réplicas, intervalos o prueba pareada. Como orientación descriptiva, el Wilson 95% para 57/60 es 86,3–98,3% y para 53/60 77,8–94,2%, pero no se publican los outcomes pareados necesarios para contrastar condiciones. La evaluación manual de 60 ítems tampoco especifica número de jueces, ceguera, rúbrica aplicada, acuerdo o adjudicación. ASR puede contar como éxito una respuesta parcial, irrelevante o puramente metadiscursiva si no contiene rechazo. La propia plantilla obliga al objetivo a generar cuatro casos etiquetados, lo que mezcla output del ataque y etiqueta de evaluación. El filtro de 520 casos solo muestra ejemplos de frases de rechazo y no tiene validación humana o análisis de error. Hay además contradicciones internas. Table 1 da Once 75,0%, que serían 45/60, pero Appendix Table 4 da 44/60=73,3% para la misma composición GPT‑4o. Los resultados principales nombran Additional 1 y Additional 2, mientras el apéndice solo define Additional 3–6 y Sequential 2. Las comparaciones con GCG, Jailbroken y Parameters no publican prompts, tuning, budgets o resultados por ítem; GCG ni siquiera puede optimizarse sobre el GPT‑4o black-box. Que dos baselines den cero no demuestra superioridad frente a ataques modernos comparables. Para el experimento real, ChatGPT‑4o se usa en la app de escritorio y Claude 3.7 Sonnet y Grok 3 Beta a través de Perplexity Pro. Perplexity añade routing, system prompts, moderación y aliases propios: no equivale a probar los servicios first-party. Las pruebas son manuales, sin fechas o versiones. Figure 5 muestra barras altas para los tres, con Claude por debajo, pero no publica tabla de conteos exactos. El enlace compartido de ChatGPT seguía respondiendo HTTP 200; los dos de Perplexity devolvían 403 en la auditoría. No se ejecutó el ataque. El artículo promete código en `CAU-CPSS/SLM_sec`, pero clone y API GitHub devuelven 404 y la organización no ofrece reemplazo. El paquete arXiv contiene manuscrito y figuras, no datasets, outputs, labels, código API o notebooks. Ningún resultado puede recomputarse. En seguridad responsable, hay content warning y marcas sobre ejemplos, pero se publican prompts accionables y enlaces de salidas sin cronología de disclosure, coordinación con proveedores, análisis de abuso, control de acceso o evaluación de defensas. La contribución defendible es mostrar que una misma estrategia de simulación produce más no-rechazos y respuestas dañinas cuando se reparte en turnos y se conserva la transcripción en snapshots concretos, y que el modo de entregar el historial importa. No demuestra una personalidad persistente, un estado interno de memoria, desactivación mecanística de la alineación, 84,61% de cumplimiento dañino pleno, generalización a servicios actuales ni superioridad reproducible sobre baselines modernos.

Research question

Does a simulation jailbreak increase when its instructions are injected progressively over several turns, and does the outcome change depending on how Responses API or LangChain retain the history?

Method

Black-box comparison of a four-message template in Once mode and several sequences, with history manually concatenated or maintained by Responses API/LangChain. 60 harmful questions are evaluated with non-refusal ASR and full-compliance FAR, an automatic run of 520 AdvBench, and manual tests on three products. The audit reviews 21 pages, TeX, arithmetic, metric validity, selection, memory, real services, ethics, and repository availability.

Sample: The main unit is a harmful question with a single generation per configuration. GPT-4o and Llama are evaluated on 60 questions; the automatic extension uses 520 AdvBench on GPT-4o. Sequential 1 obtains 57/60 ASR and 53/60 FAR in GPT state-based. There are no stochastic replicates, split for combination selection, paired outcomes, or published uncertainty.

Findings

  • GPT-4o state-based goes from Once 75.0% ASR/63.3% FAR to Sequential 1 95.0%/88.3% on 60 questions.
  • GPT-4o Sequential 1 is 88.33%/83.33% with manual history and 95%/88.33% with Responses API.
  • Llama Once is 20% ASR; Sequential 1 is 5% manual and 35% state-based, showing strong sensitivity to context delivery.
  • Disinformation/fraud, bias/privacy, and unlicensed activity topics reach 100% ASR in groups of only ten questions.
  • The run of 520 prompts finds 440 without refusal phrases, but does not verify full FAR.
  • Sequence, intermediate messages, roles, and serialization change behavior; the design does not separate which of those components causes it.
  • The 95% is selected among combinations filtered by high ASR probability on the same benchmark.
  • Once appears as 75.0% in one table and 73.3% in another; Additional 1/2 have no public composition.
  • The promised repository returns 404 and no result is recomputable.

Limitations

  • The term persona describes simulation framing, not persistent traits or identity.
  • Sequential adds turns, roles, intermediate responses, and tokens; it does not isolate memory.
  • Responses API and LangChain deliver context, but do not allow observing an internal state or safety weights.
  • Combinations are selected and evaluated on the same 60 prompts, with risk of winner's curse.
  • There are no repetitions, intervals, paired tests, or randomness analysis.
  • Non-refusal ASR may count partial, irrelevant, or metadiscursive responses.
  • Manual FAR does not document judges, blinding, agreement, adjudication, or complete protocol.
  • The 520 run uses refusal phrases and is incorrectly labeled as FAR.
  • The refusal list, human validation, and error analysis are not published.
  • Provenance and exact list of 60 questions are contradictory and absent.
  • Table 1 and Appendix Table 4 disagree on Once, 45/60 versus 44/60.
  • Additional 1 and 2 are not defined, although they appear in main results.
  • Baselines lack prompts, tuning, budgets, settings, and outcomes; GCG does not apply to GPT black-box.
  • Llama review, sampling, hardware, dates, retries, and LangChain memory class are missing.
  • Claude and Grok are tested through Perplexity, not first-party services, with aliases and moderation not controlled.
  • Real tests are manual, mutable, and without an exact count table.
  • Promised code, dataset, outputs, labels, and notebooks are not available.
  • There is no responsible disclosure, coordination with providers, abuse analysis, or evaluated defense.

What the study does not establish

  • That a persistent psychological personality was created or edited.
  • That an internal memory of the model causes the observed effect.
  • That user instructions reweight or mechanistically disable alignment.
  • That 84.61% of 520 prompts is full harmful compliance or validated FAR.
  • That the 95% generalizes outside the selected combinations and the evaluated snapshot.
  • That the differences are statistically reliable without paired outcomes and replicates.
  • That Persona Attack outperforms modern baselines with comparable tuning and budget.
  • That Perplexity results represent first-party Claude or Grok.
  • That current ChatGPT, Claude, or Grok retain the observed rates.
  • That the experiment is reproducible with the available artifact.
  • That publishing prompts and links without disclosure is sufficient mitigation of dual risk.

Traceability

Scope: Full text

Version: arXiv:2606.00150v1, 21 pages, submitted 2026-05-29, CC BY 4.0

Consulted source: https://arxiv.org/abs/2606.00150v1

Review: Codex 21-page full-text visual, complete TeX, memory-construct, metric/count, selection/uncertainty, baseline, real-world service, dual-use ethics and live-artifact audit, 2026-07-17

Approval: Codex fidelity pass, 2026-07-17

English translation: approved, 2026-07-18

Models evaluated

  • gpt-4o-2024-11-20 mediante Responses API
  • Llama-3.2-3B-Instruct mediante LangChain
  • ChatGPT-4o en aplicación de escritorio
  • Claude 3.7 Sonnet mediante Perplexity Pro
  • Grok 3 Beta mediante Perplexity Pro

Instruments and metrics

  • ASR como ausencia de rechazo negativo
  • FAR como Fully Attack Success Rate
  • Once frente a Sequential 1 y variantes agrupadas/reordenadas
  • Manual memory por concatenación de transcripción
  • State-based memory mediante Responses API o LangChain
  • Heurística de frases de rechazo para 520 AdvBench
  • Comparación agregada con GCG, Jailbroken y Parameters

Data used

  • 60 preguntas dañinas en seis temas, lista no publicada
  • 40 preguntas declaradas de ocho escenarios previos más ítems AdvBench, provenance contradictorio
  • 520 prompts AdvBench para evaluación automática GPT-4o
  • Outputs, labels y transcripciones no publicados
  • Tres enlaces públicos de experimentos reales, dos inaccesibles con HTTP 403

Evidence and location

  • Version, submission, authorship, areas, DOI, and license: arXiv:2606.00150v1 metadata checked 2026-07-17
  • Method, tables, results, limitations, prompts, and examples: arXiv:2606.00150v1 PDF, all 21 pages rendered and visually inspected
  • Compositions, metrics, contradictory counts, selection, and services: Complete arXiv TeX source, sha256 37b8a5e682d52cf30fd7ee0e7f8cab57a61b5fa8e8dad15c3b3d2a45be703612
  • Code and real links availability: CAU-CPSS/SLM_sec clone and authenticated GitHub API returned 404; ChatGPT share 200 and Perplexity shares 403 on 2026-07-17
  • Memory, evaluation, selection, ethics, reproducibility, and limits validity: reports/verification/article-311-persona-attack-memory-construct-evaluation-selection-realworld-ethics-and-missing-repository-audit.json