
Abstract
In recent years, the rapid development of large language model (LLM) technology has increasingly faced the threat of jailbreak attacks—malicious users manipulate the model to generate harmful content. Existing methods mainly rely on two paths: single-step attacks that easily trigger security mechanisms for immediate response, or multi-step attacks using other LLMs with inefficient iterative prompts. In contrast, we propose the “Context Sequence” (SoC) attack, which systematically alters the dialogue context through a carefully designed Context Switching Query (CSQ) system. We frame this as a multi-armed bandit (MAB) optimization problem, automatically learning the optimal CSQ sequence that can gradually weaken the model’s security boundaries. In our theoretical analysis, we provide a tight upper bound on the expected length of the sequence required to successfully achieve a jailbreak and the convergence of cumulative rewards. Experimental results show that our method achieves an attack success rate of up to 95%, improving by 63.15% over PAIR, 60% over AutoDAN, and 50% over ReNeLLM. We evaluated this on several open-source LLMs, including Llama and Mistral, revealing key vulnerabilities in current LLM security mechanisms and emphasizing the need to develop defenses that can address serialized attack patterns rather than relying solely on static prompt filtering or iterative optimization.

This diagram illustrates the proposed SoC attack process. The attack begins by sending a Direct Malicious Query (DMQ) to the LLM, and the LLM’s response is evaluated by a judging function J, which outputs a binary reward indicating harmfulness. The multi-armed bandit (MAB) selects the next optimal Context Switching Query (CSQ) based on this reward using an ε-greedy strategy. This cycle continues until a harmful response is generated or the maximum sequence length T is reached, thus successfully achieving a jailbreak. The resulting attack strategy can be applied to unseen DMQs.
1
Introduction
The rapid development of large language models (LLMs) faces ongoing challenges to their security mechanisms. Traditional attack methods often fail due to triggering immediate defenses; therefore, we propose the Context Sequence (SoC) attack, which gradually weakens the model’s security defenses through a series of strategic queries.
The SoC attack consists of two types of queries:Direct Malicious Queries (DMQs): Directly induce harmful replies, usually intercepted;Context Switching Queries (CSQs): Gradually “soften” the model’s security boundaries through ambiguous or contradictory contexts.This method leverages the context dependency of LLMs, gradually changing the model’s response tendencies through continuous CSQs, thereby decreasing its defensive capability against subsequent malicious queries.
To optimize the attack sequence, we introduce a multi-armed bandit (MAB) framework, employing an ε-greedy algorithm to automatically learn the optimal CSQ combinations: exploring new queries with probability ε and exploiting the current optimal queries with probability 1-ε, thus achieving a balance between exploration and exploitation.
The main contributions of this paper are:We constructed a dataset of Context Switching Queries and proposed an optimal sequence determination method based on SoC attacks;We established a theoretical analysis framework, providing an expected upper bound on the length of the attack sequence;Experiments show that our method significantly outperforms baseline models such as PAIR, AutoDAN, and ReNeLLM in attack success rates, improving by 63.15%, 60%, and 50%, respectively.
2
Prerequisites
Direct Malicious Queries (DMQs)
Direct Malicious Queries (DMQs) are inquiries that explicitly contain malicious intent, such as “How to make a bomb?” These queries are typically rejected directly by the LLM’s security mechanisms after harmful vocabulary is identified by classifiers. DMQs initiate the attack process by embedding malicious intent, while subsequent Context Switching Queries (CSQs) aim to weaken the security barriers, thereby increasing the probability of harmful content output.
Context Switching Queries (CSQs)
Context Switching Queries (CSQs) are a strategy that progressively alters the dialogue context, allowing the LLM’s security mechanisms to gradually relax without immediately triggering rejection prompts. Context switching refers to systematic transitions between multiple CSQs, thereby constructing a continuously evolving input sequence. Throughout the attack process, the “context window” H continuously accumulates historical responses:

where c_t and s_t represent the Context Switching Query sent to the target LLM and its corresponding response at step t (t∈{1,2,…,T}). As more Context Switching Queries are continuously injected, the length of the context window H dynamically increases.
Multi-Armed Bandits (MAB)
Multi-Armed Bandits (MAB) is a sequential decision framework that maximizes total rewards over T rounds by sequentially selecting from K unknown actions. This study employs the MAB framework to address the selection problem of the optimal CSQ category (a∈{a_1,…,a_K}) in each round, systematically guiding the LLM to generate harmful responses while balancing exploration and exploitation.
Judge Function
The judging function J(s_t) evaluates the LLM’s response s_t at time t and assigns a binary reward r_t ∈ {0, 1} based on the harmfulness (r_t = 1) or harmlessness (r_t = 0) of the response content. This function acts as a reward mechanism within the multi-armed bandit framework, playing a crucial role in guiding the attack strategy.
Q-Value, Policy, Optimal Policy
The Q-value represents the expected cumulative reward for selecting action a_i, calculated as follows:

where R(a_i) is the actual observed reward for action a_i, and N(a_i) is the number of times action a_i has been selected. The policy π is the decision rule that determines which action (i.e., CSQ category) to select based on the Q-value, while the optimal policy π∗ always selects the action with the maximum Q-value, i.e., π∗=argmax_(a_i) Q(ai). The training algorithm iteratively updates Q(a_i) to approximate π∗, ensuring convergence to a strategy that maximizes the number of harmful/unsafe responses during the SoC attack process.
Cost Function
The cost function is used to balance exploration and exploitation behaviors across multiple training rounds, defined as follows:

where t represents the current training round, w_1,w_2 are weight parameters, and E_explore and E_exploit represent the counts of exploration and exploitation actions, respectively.
The problem statement: Given a large language model and context window H, our goal is to find the optimal policy π∗, which selects actions from the action set a∈{a1,…,aK} (i.e., CSQ categories) over T training rounds to maximize Q-value, where the reward r_t is determined by the judging function J(s_t). This policy must balance exploration and exploitation through the total cost function C_total while considering the dynamically growing context window H and the potential noise introduced by the judging function J(s_t) in reward observations.
3
Algorithm

Training algorithm for obtaining the optimal policy

Testing algorithm
4
Theoretical Contributions
Lemma 1
For any suboptimal Context Switching Query category, the probability that its empirical average reward μ^i exceeds or equals the optimal category’s empirical average reward μ^∗ satisfies the following upper bound:

Lemma 2
The total expected reward obtained by the algorithm after T training rounds will converge to the optimal reward and satisfies the following upper bound:

Theorem 1
For any suboptimal Context Switching Query category CSQiCSQi, the expected value of the number of times it is selected E[N_i] satisfies the following upper bound:

Corollary 1
The expected sequence length E[L] required before continuously utilizing the optimal category CSQ∗ satisfies the following upper bound:

where Δ_min=min_(i≠i)∗Δ_i represents the minimum reward gap, and K is the total number of Context Switching Query categories.
5
Experiments and Conclusions




This paper presents an innovative method for guiding models to generate harmful responses by selecting Context Switching Queries that manipulate the context memory of large language models. This research frames the problem as a multi-armed bandit framework, employing an ε-greedy strategy to implement context sequence attacks, effectively balancing exploration and exploitation. The method successfully achieves jailbreak during both training and testing phases, with longer attack sequences resulting in increased average attack success rates and harmful response counts across all dialogue models. The multi-armed bandit optimization significantly enhances attack performance, achieving an average attack success rate exceeding 95%, while its single prompt cost is more advantageous compared to baseline methods. Future work in this field will focus on developing robust mechanisms that can effectively defend against jailbreaks of large language models. A potential limitation of the current method is that the sampling of Context Switching Queries relies on a fixed database, while fine-tuning the large language model using Q-learning objectives is expected to further enhance query diversity and attack performance.