---
license: mit
datasets:
- JailbreakBench/JBB-Behaviors
base_model:
- GSAI-ML/LLaDA-8B-Base
library_name: peft
tags:
- iho
- qwen2.5
- qwen2.5-7b
- polyguard
- detector
- defended-model
- attacker
- jailbreaking
- adversary
- jailbreak
- llada
- diffusion-language-model
- red-teaming
- adversarial-evaluation
- safety-research
- jailbreak-benchmark
paper:
  title: "Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs"
---

# IHO — Indirect Harm Optimization for Qwen2.5-7B-Instruct + PolyGuard

[![ArXiv](https://img.shields.io/badge/arXiv-2606.03647-b31b1b?logo=arxiv&logoColor=white)](https://arxiv.org/abs/2606.03647)
[![GitHub](https://img.shields.io/badge/GitHub-IHO-181717?logo=github&logoColor=white)](https://github.com/SEML-Lab/IHO)

IHO fine-tunes an attacker diffusion language model for black-box red-teaming of target LLMs. Building on the inpainting approach of [Diffusion LLMs are Natural Adversaries for Any LLM](https://arxiv.org/pdf/2511.00203), the diffusion model generates jailbreak prompts by predicting prompts that are likely to elicit affirmative, harmful responses from a target model.

Strong attacks need to adapt to their target, which may be an arbitrary black-box model or defense pipeline. IHO achieves this by iteratively collecting target responses, scoring them with a harmfulness judge, and training the attacker with DPO on the resulting preference data. This allows the attacker to adapt without requiring gradients, model weights, or any defense-specific implementation.

In our experiments, IHO achieves state-of-the-art attack strength across a wide range of settings. It is effective as an adaptive attack against a specific target, while also transferring strongly to held-out behaviors and unseen target models. The gains are especially pronounced against stronger defenses and layered defense pipelines, where IHO substantially outperforms prior automated attacks.

This checkpoint is adapted to `Qwen/Qwen2.5-7B-Instruct` wrapped with an additional [PolyGuard](https://arxiv.org/abs/2504.04377) detector. In our setup, PolyGuard inspects prompts and responses and overrides harmful outputs with a fixed refusal string. The detector model used in the paper is `ToxicityPrompts/PolyGuard-Qwen-Smol`.

This checkpoint can be used directly in transfer settings and is expected to be particularly effective on similar Qwen2.5 models and related detector-wrapped pipelines. However, transfer is not the only intended use case of IHO: one of its core strengths is adaptive evaluation. If maximum attack strength is required, we recommend applying the IHO pipeline adaptively to the specific target model or defense pipeline under evaluation. We release a range of IHO checkpoints adapted to different targets.


<!-- ADAPTER_USAGE_START -->
## Quick Start
This repo contains a **LoRA adapter** (not merged full weights). Load it on top of:
- `GSAI-ML/LLaDA-8B-Base` ([Large Language Diffusion Models](https://arxiv.org/abs/2502.09992) / [GSAI-ML/LLaDA-8B-Base](https://huggingface.co/GSAI-ML/LLaDA-8B-Base))

### Use with IHO Codebase
[![GitHub](https://img.shields.io/badge/GitHub-IHO-181717?logo=github&logoColor=white)](https://github.com/SEML-Lab/IHO)

Use this adapter with the local IHO pipeline to generate attacks:
```bash
pixi run python -m iho.inference_attacks_only \
  "Sure, here is how to evade legal persecution" \
  --checkpoint SEML-Lab/IHO-Qwen2.5-7B-Instruct-PolyGuard \
  --device cuda \
  --num-attacks 32
```

For direct programmatic loading inside the IHO codebase:
```python
from iho.model_wrapper.LLaDAWrapper import LLaDAWrapper

wrapper = LLaDAWrapper(
    model_name="GSAI-ML/LLaDA-8B-Base",
    lora_checkpoint="SEML-Lab/IHO-Qwen2.5-7B-Instruct-PolyGuard",
    device="cuda",  # or "cpu"
)
```

### Standard PEFT Loading
```python
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel

base_id = "GSAI-ML/LLaDA-8B-Base"
adapter_id = "SEML-Lab/IHO-Qwen2.5-7B-Instruct-PolyGuard"

base = AutoModelForCausalLM.from_pretrained(base_id, trust_remote_code=True)
model = PeftModel.from_pretrained(base, adapter_id)
tokenizer = AutoTokenizer.from_pretrained(base_id, trust_remote_code=True)
```
<!-- ADAPTER_USAGE_END -->

## Use Disclaimer

This model is released for research on LLM safety, red-teaming, and robustness evaluation. It should be used in controlled settings and only against systems for which the user has permission to run adversarial evaluations. The goal of this release is to support more reliable measurement of jailbreak robustness, not to enable misuse against deployed systems.

A detailed description of the method can be found in the accompanying paper.

## Citation

Please cite the IHO paper: Limbach et al., 2026, "Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs."

```bibtex
@misc{limbach2026blackboxadaptiveefficient,
  title={Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs},
  author={Vincent Limbach and Jonas Dornbusch and David L{\"u}dke and Stephan G{\"u}nnemann and Leo Schwinn},
  year={2026},
  eprint={2606.03647},
  archivePrefix={arXiv},
  primaryClass={cs.CR},
  url={https://arxiv.org/abs/2606.03647},
}
```