Harder to Defend: Towards Chinese Toxicity Attacks via Implicit Enhancement and Obfuscation Rewriting

About

Large language models (LLMs) require robust toxicity evaluation beyond explicit wording. This setting remains underexplored in Chinese, where toxicity may combine semantic indirectness with surface obfuscation. We introduce Chinese Implicit Toxicity Attack (CITA), a controlled red-team evaluation and defense-data generation framework, not a deployable evasion tool. CITA uses three stages: (i) Harmful Intent Learning, (ii) Implicit Toxicity Enhancement, and (iii) Obfuscation Variant Rewriting, to preserve harmful intent, increase implicitness, and add controlled surface variants. On CITA-generated evaluation samples, the seven tested detectors exhibit substantial missed-detection risks, reaching an average ASR of 69.48%; human evaluation further confirms preserved harmfulness and increased implicitness/evasiveness. As a downstream defense application, we fine-tune a Chinese Implicit Toxicity Defense model (CITD) with CITA-generated red-team data, showing that such data can improve robustness through additional training.

Jingyi Kang, Junyu Lu, Bo Xu, Hongbo Wang, Linlin zong, Roy Ka-Wei Lee, Hongfei Lin• 2026

Related benchmarks

Task	Dataset	Result
Toxicity Classification	TOXICN (test)	Accuracy91.47	19
Toxicity Classification	COLD (test)	Accuracy88.8	19
Toxicity Classification	SWSR (test)	Accuracy91.33	7
Toxicity Classification	SCCD (test)	Accuracy93.73	7
Toxicity Classification	CNTP (test)	Accuracy94.53	7
Toxicity Detection	COLD	--	7
Toxicity Detection	SWSR	--	7
Toxicity Detection	SCCD	--	7
Toxicity Detection	CNTP	--	7
Toxicity Detection	ToxiCN	--	7

Showing 10 of 13 rows

Other info

Follow for update

@wizwand_team Discord