Skip to content
← Back to explorer

Harder to Defend: Towards Chinese Toxicity Attacks via Implicit Enhancement and Obfuscation Rewriting

Jingyi Kang, Junyu Lu, Bo Xu, Hongbo Wang, Linlin zong, Roy Ka-Wei Lee, Hongfei Lin · May 21, 2026 · Citations: 0

General Human Eval Red Team
Open arXiv Find Implementation RSS feed Shortlist (0)

How to use this page

Moderate trust

Use this for comparison and orientation, not as your only source.

Best use

Secondary protocol comparison source

What to verify

Validate the evaluation procedure and quality controls in the full paper before operational use.

Evidence quality

Moderate

Derived from extracted protocol signals and abstract evidence.

Abstract

Large language models (LLMs) require robust toxicity evaluation beyond explicit wording. This setting remains underexplored in Chinese, where toxicity may combine semantic indirectness with surface obfuscation. We introduce Chinese Implicit Toxicity Attack (CITA), a controlled red-team evaluation and defense-data generation framework, not a deployable evasion tool. CITA uses three stages: (i) Harmful Intent Learning, (ii) Implicit Toxicity Enhancement, and (iii) Obfuscation Variant Rewriting, to preserve harmful intent, increase implicitness, and add controlled surface variants. On CITA-generated evaluation samples, the seven tested detectors exhibit substantial missed-detection risks, reaching an average ASR of 69.48%; human evaluation further confirms preserved harmfulness and increased implicitness/evasiveness. As a downstream defense application, we fine-tune a Chinese Implicit Toxicity Defense model (CITD) with CITA-generated red-team data, showing that such data can improve robustness through additional training.

Should You Rely On This Paper?

This paper has useful evaluation signal, but protocol completeness is partial; pair it with related papers before deciding implementation strategy.

Best use

Secondary protocol comparison source

Use if you need

A secondary eval reference to pair with stronger protocol papers.

Main weakness

No major weakness surfaced.

Trust level

Moderate

Usefulness score

67/100 • Medium

Useful as a secondary reference; validate protocol details against neighboring papers.

Human Feedback Signal

Detected

Evaluation Signal

Detected

Usefulness for eval research

Moderate-confidence candidate

Extraction confidence 70%

If you are doing eval pipeline work, start here:

Human Eval Hub LLM-as-Judge Hub Pairwise Preference Hub Tool-Use Eval Hub

What We Could Verify

These are the protocol signals we could actually recover from the available paper metadata. Use them to decide whether this paper is worth deeper reading.

Human Feedback Types

strong

Red Team

Directly usable for protocol triage.

"Large language models (LLMs) require robust toxicity evaluation beyond explicit wording."

Evaluation Modes

strong

Human Eval

Includes extracted eval setup.

"Large language models (LLMs) require robust toxicity evaluation beyond explicit wording."

Quality Controls

missing

Not reported

No explicit QC controls found.

"Large language models (LLMs) require robust toxicity evaluation beyond explicit wording."

Benchmarks / Datasets

missing

Not extracted

No benchmark anchors detected.

"Large language models (LLMs) require robust toxicity evaluation beyond explicit wording."

Reported Metrics

strong

Toxicity, Jailbreak success rate

Useful for evaluation criteria comparison.

"Large language models (LLMs) require robust toxicity evaluation beyond explicit wording."

Human Feedback Details

  • Uses human feedback: Yes
  • Feedback types: Red Team
  • Rater population: Not reported
  • Expertise required: General

Evaluation Details

  • Evaluation modes: Human Eval
  • Agentic eval: None
  • Quality controls: Not reported
  • Evidence quality: Moderate
  • Use this page as: Secondary protocol comparison source

Protocol And Measurement Signals

Benchmarks / Datasets

No benchmark or dataset names were extracted from the available abstract.

Reported Metrics

toxicityjailbreak success rate

Research Brief

Metadata summary

Large language models (LLMs) require robust toxicity evaluation beyond explicit wording.

Based on abstract + metadata only. Check the source paper before making high-confidence protocol decisions.

Key Takeaways

  • Large language models (LLMs) require robust toxicity evaluation beyond explicit wording.
  • This setting remains underexplored in Chinese, where toxicity may combine semantic indirectness with surface obfuscation.
  • We introduce Chinese Implicit Toxicity Attack (CITA), a controlled red-team evaluation and defense-data generation framework, not a deployable evasion tool.

Researcher Actions

  • Compare this paper against nearby papers in the same arXiv category before using it for protocol decisions.
  • Validate inferred eval signals (Human evaluation) against the full paper.
  • Use related-paper links to find stronger protocol-specific references.

Caveats

  • Generated from abstract + metadata only; no PDF parsing.
  • Signals below are heuristic and may miss details reported outside the abstract.

Recommended Queries

Red teaming evaluation

Research Summary

Contribution Summary

  • Large language models (LLMs) require robust toxicity evaluation beyond explicit wording.
  • We introduce Chinese Implicit Toxicity Attack (CITA), a controlled red-team evaluation and defense-data generation framework, not a deployable evasion tool.
  • On CITA-generated evaluation samples, the seven tested detectors exhibit substantial missed-detection risks, reaching an average ASR of 69.48%; human evaluation further confirms preserved harmfulness and increased implicitness/evasiveness.

Why It Matters For Eval

  • We introduce Chinese Implicit Toxicity Attack (CITA), a controlled red-team evaluation and defense-data generation framework, not a deployable evasion tool.
  • On CITA-generated evaluation samples, the seven tested detectors exhibit substantial missed-detection risks, reaching an average ASR of 69.48%; human evaluation further confirms preserved harmfulness and increased implicitness/evasiveness.

Researcher Checklist

  • Pass: Human feedback protocol is explicit

    Detected: Red Team

  • Pass: Evaluation mode is explicit

    Detected: Human Eval

  • Gap: Quality control reporting appears

    No calibration/adjudication/IAA control explicitly detected.

  • Gap: Benchmark or dataset anchors are present

    No benchmark/dataset anchor extracted from abstract.

  • Pass: Metric reporting is present

    Detected: toxicity, jailbreak success rate

Related Papers

Papers are ranked by protocol overlap, extraction signal alignment, and semantic proximity.

Get Started

Join the #1 Platform for AI Training Talent

Where top AI builders and expert AI Trainers connect to build the future of AI.
Self-Service
Post a Job
Post your project and get a shortlist of qualified AI Trainers and Data Labelers. Hire and manage your team in the tools you already use.
Create Account & Post a Job
Managed Service
For Large Projects
Done-for-You
We recruit, onboard, and manage a dedicated team inside your tools. End-to-end operations for large or complex projects.
Learn About Managed Service
For Freelancers
Join as an AI Trainer
Find AI training and data labeling projects across platforms, all in one place. One profile, one application process, more opportunities.
Join Now