Initial public release

.gitattributes

@@ -0,0 +1,35 @@
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.arrow filter=lfs diff=lfs merge=lfs -text
+*.bin filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.ckpt filter=lfs diff=lfs merge=lfs -text
+*.ftz filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.h5 filter=lfs diff=lfs merge=lfs -text
+*.joblib filter=lfs diff=lfs merge=lfs -text
+*.lfs.* filter=lfs diff=lfs merge=lfs -text
+*.mlmodel filter=lfs diff=lfs merge=lfs -text
+*.model filter=lfs diff=lfs merge=lfs -text
+*.msgpack filter=lfs diff=lfs merge=lfs -text
+*.npy filter=lfs diff=lfs merge=lfs -text
+*.npz filter=lfs diff=lfs merge=lfs -text
+*.onnx filter=lfs diff=lfs merge=lfs -text
+*.ot filter=lfs diff=lfs merge=lfs -text
+*.parquet filter=lfs diff=lfs merge=lfs -text
+*.pb filter=lfs diff=lfs merge=lfs -text
+*.pickle filter=lfs diff=lfs merge=lfs -text
+*.pkl filter=lfs diff=lfs merge=lfs -text
+*.pt filter=lfs diff=lfs merge=lfs -text
+*.pth filter=lfs diff=lfs merge=lfs -text
+*.rar filter=lfs diff=lfs merge=lfs -text
+*.safetensors filter=lfs diff=lfs merge=lfs -text
+saved_model/**/* filter=lfs diff=lfs merge=lfs -text
+*.tar.* filter=lfs diff=lfs merge=lfs -text
+*.tar filter=lfs diff=lfs merge=lfs -text
+*.tflite filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.wasm filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
+*tfevents* filter=lfs diff=lfs merge=lfs -text

README.md

@@ -0,0 +1,102 @@
+---
+license: mit
+datasets:
+- JailbreakBench/JBB-Behaviors
+base_model:
+- GSAI-ML/LLaDA-8B-Base
+library_name: peft
+tags:
+- iho
+- qwen2.5
+- qwen2.5-32b
+- attacker
+- jailbreaking
+- adversary
+- jailbreak
+- llada
+- diffusion-language-model
+- red-teaming
+- adversarial-evaluation
+- safety-research
+- jailbreak-benchmark
+paper:
+  title: "Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs"
+---
+
+# IHO — Indirect Harm Optimization for Qwen2.5-32B-Instruct
+
+[![ArXiv](https://img.shields.io/badge/arXiv-2606.03647-b31b1b?logo=arxiv&logoColor=white)](https://arxiv.org/abs/2606.03647)
+[![GitHub](https://img.shields.io/badge/GitHub-IHO-181717?logo=github&logoColor=white)](https://github.com/SEML-Lab/IHO)
+
+IHO fine-tunes an attacker diffusion language model for black-box red-teaming of target LLMs. Building on the inpainting approach of [Diffusion LLMs are Natural Adversaries for Any LLM](https://arxiv.org/pdf/2511.00203), the diffusion model generates jailbreak prompts by predicting prompts that are likely to elicit affirmative, harmful responses from a target model.
+
+Strong attacks need to adapt to their target, which may be an arbitrary black-box model or defense pipeline. IHO achieves this by iteratively collecting target responses, scoring them with a harmfulness judge, and training the attacker with DPO on the resulting preference data. This allows the attacker to adapt without requiring gradients, model weights, or any defense-specific implementation.
+
+In our experiments, IHO achieves state-of-the-art attack strength across a wide range of settings. It is effective as an adaptive attack against a specific target, while also transferring strongly to held-out behaviors and unseen target models. The gains are especially pronounced against stronger defenses and layered defense pipelines, where IHO substantially outperforms prior automated attacks.
+
+This checkpoint is adapted to `Qwen/Qwen2.5-32B-Instruct`. It can be used directly in transfer settings and is expected to be particularly effective on similar Qwen2.5 models. However, transfer is not the only intended use case of IHO: one of its core strengths is adaptive evaluation. If maximum attack strength is required, we recommend applying the IHO pipeline adaptively to the specific target model or defense pipeline under evaluation. We release a range of IHO checkpoints adapted to different targets.
+
+
+<!-- ADAPTER_USAGE_START -->
+## Quick Start
+This repo contains a **LoRA adapter** (not merged full weights). Load it on top of:
+- `GSAI-ML/LLaDA-8B-Base` ([Large Language Diffusion Models](https://arxiv.org/abs/2502.09992) / [GSAI-ML/LLaDA-8B-Base](https://huggingface.co/GSAI-ML/LLaDA-8B-Base))
+
+### Use with IHO Codebase
+[![GitHub](https://img.shields.io/badge/GitHub-IHO-181717?logo=github&logoColor=white)](https://github.com/SEML-Lab/IHO)
+
+Use this adapter with the local IHO pipeline to generate attacks:
+```bash
+pixi run python -m iho.inference_attacks_only \
+  "Sure, here is how to evade legal persecution" \
+  --checkpoint SEML-Lab/IHO-Qwen2.5-32B-Instruct \
+  --device cuda \
+  --num-attacks 32
+```
+
+For direct programmatic loading inside the IHO codebase:
+```python
+from iho.model_wrapper.LLaDAWrapper import LLaDAWrapper
+
+wrapper = LLaDAWrapper(
+    model_name="GSAI-ML/LLaDA-8B-Base",
+    lora_checkpoint="SEML-Lab/IHO-Qwen2.5-32B-Instruct",
+    device="cuda",  # or "cpu"
+)
+```
+
+### Standard PEFT Loading
+```python
+from transformers import AutoModelForCausalLM, AutoTokenizer
+from peft import PeftModel
+
+base_id = "GSAI-ML/LLaDA-8B-Base"
+adapter_id = "SEML-Lab/IHO-Qwen2.5-32B-Instruct"
+
+base = AutoModelForCausalLM.from_pretrained(base_id, trust_remote_code=True)
+model = PeftModel.from_pretrained(base, adapter_id)
+tokenizer = AutoTokenizer.from_pretrained(base_id, trust_remote_code=True)
+```
+<!-- ADAPTER_USAGE_END -->
+
+## Use Disclaimer
+
+This model is released for research on LLM safety, red-teaming, and robustness evaluation. It should be used in controlled settings and only against systems for which the user has permission to run adversarial evaluations. The goal of this release is to support more reliable measurement of jailbreak robustness, not to enable misuse against deployed systems.
+
+A detailed description of the method can be found in the accompanying paper.
+
+## Citation
+
+Please cite the IHO paper: Limbach et al., 2026, "Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs."
+
+```bibtex
+@misc{limbach2026blackboxadaptiveefficient,
+  title={Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs},
+  author={Vincent Limbach and Jonas Dornbusch and David L{\"u}dke and Stephan G{\"u}nnemann and Leo Schwinn},
+  year={2026},
+  eprint={2606.03647},
+  archivePrefix={arXiv},
+  primaryClass={cs.CR},
+  url={https://arxiv.org/abs/2606.03647},
+}
+```

adapter_config.json

@@ -0,0 +1,41 @@
+{
+  "alora_invocation_tokens": null,
+  "alpha_pattern": {},
+  "arrow_config": null,
+  "auto_mapping": null,
+  "base_model_name_or_path": "GSAI-ML/LLaDA-8B-Base",
+  "bias": "none",
+  "corda_config": null,
+  "ensure_weight_tying": false,
+  "eva_config": null,
+  "exclude_modules": null,
+  "fan_in_fan_out": false,
+  "inference_mode": true,
+  "init_lora_weights": true,
+  "layer_replication": null,
+  "layers_pattern": null,
+  "layers_to_transform": null,
+  "loftq_config": {},
+  "lora_alpha": 16,
+  "lora_bias": false,
+  "lora_dropout": 0.05,
+  "megatron_config": null,
+  "megatron_core": "megatron.core",
+  "modules_to_save": null,
+  "peft_type": "LORA",
+  "peft_version": "0.18.0",
+  "qalora_group_size": 16,
+  "r": 8,
+  "rank_pattern": {},
+  "revision": null,
+  "target_modules": [
+    "q_proj",
+    "v_proj"
+  ],
+  "target_parameters": null,
+  "task_type": "CAUSAL_LM",
+  "trainable_token_indices": null,
+  "use_dora": false,
+  "use_qalora": false,
+  "use_rslora": false
+}

adapter_model.safetensors

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2eb4116fc9392e53cd0ab8371932a6fd6533f837d6c21fd655fd3fbc9717e1b0
+size 16794456