Hugging Face's logo

Graph-COM
/
TurnGate-0.1

English
Safety
Defense
Jailbreak
Multi-turn
Harmful
Benign
Model card Files
xet
 Community
1
TurnGate-0.1
File size: 4,183 Bytes
856053d
6831b13
 
 
 
5f989e3
 
6831b13
5f989e3
 
 
 
 
 
 
6831b13
 
5f989e3
 
856053d
6831b13
5f989e3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
6831b13
 
 
 
 
5f989e3
 
 
 
 
 
 
6831b13
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
5f989e3
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
base_model:
- Qwen/Qwen3-4B-Instruct-2507
datasets:
- Graph-COM/MTID
language:
- en
license: apache-2.0
tags:
- Safety
- Defense
- Jailbreak
- Multi-turn
- Harmful
- Benign
pretty_name: TurnGate
pipeline_tag: text-classification
size_categories:
- 10K<n<100K
---

# TurnGate: Response-Aware Defense Against Hidden Malicious Intent in Multi-Turn Dialogue        

<a href="https://arxiv.org/abs/2605.05630" target="_blank">
    <img alt="arXiv" src="https://img.shields.io/badge/arXiv-TurnGate-red?logo=arxiv&style=for-the-badge" />
</a>
<a href="https://turn-gate.github.io" target="_blank">
    <img alt="Website" src="https://img.shields.io/badge/🌎_Homepage-blue.svg?style=for-the-badge" />
</a>
<a href="https://github.com/Graph-COM/TurnGate" target="_blank">
    <img alt="GitHub code" src="https://img.shields.io/badge/💻_Code_GitHub-black.svg?style=for-the-badge" />
</a>
<a href="#cite" target="_blank">
    <img alt="Cite" src="https://img.shields.io/badge/📖_Cite!-lightgrey?style=for-the-badge" />
</a>
<a href="https://www.python.org/" target="_blank">
    <img alt="Python" src="https://img.shields.io/badge/Python-3.12-blue?style=for-the-badge" />
</a>


## Overview

TurnGate is a response-aware defense mechanism designed to detect and mitigate hidden malicious intent in multi-turn dialogue systems. It is designed to defend against state-of-the-art multi-turn malicious attacks like [CKA-Agent](https://cka-agent.github.io/).

Unlike traditional filters that look at queries in isolation, TurnGate is response-aware: it inspects the assistant's candidate response in the context of the full dialogue history to identify the precise "closure turn" where a harmful objective becomes actionable.

This work was presented in the paper [One Turn Too Late: Response-Aware Defense Against Hidden Malicious Intent in Multi-Turn Dialogue](https://arxiv.org/abs/2605.05630).

![TurnGate Pipeline](https://github.com/Graph-COM/TurnGate/blob/main/assets/pipeline.png?raw=true)

## TurnGate-0.1

This repository contains the weights for TurnGate-0.1, a model trained on the Multi-Turn Intent Dataset (MTID) and optimized via reinforcement learning with turn-level process rewards.

## Quick Start

### 1. Evaluate Baselines

Run all training-free defenders on the dataset using the provided scripts in the [GitHub repository](https://github.com/Graph-COM/TurnGate):

```bash
bash scripts/evaluate_all_baselines.sh
```

### 2. Evaluate a Trained Checkpoint

The evaluation script auto-detects defender type (SFT/TurnGate) and format (Full/LoRA):

```bash
# Evaluate a TurnGate checkpoint
bash scripts/eval.sh checkpoints/turngate_optimized_full/final_model

# Evaluation via HuggingFace repo with explicit type overrides
bash scripts/eval.sh your-org/your-model Qwen/Qwen3-4B-Instruct-2507 dataset/gpt52-gen_filter test full rl
```

## Online Battle (Adversarial Evaluation)

The `online-battle/` codebase provides an environment for evaluating defenders against adaptive jailbreak attacks. It runs the CKA-Agent attack method against the target model with TurnGate enabled to measure real-world robustness.

```bash
cd online-battle
# Run CKA-Agent attack with TurnGate (RL) defense enabled
bash run_rl_defense.sh
```

## MTID Dataset

The **Multi-Turn Intent Dataset (MTID)** contains a collection of multi-turn interactions focused on evaluating and training defenses against correlated knowledge attacks.
- **Total Unique Samples:** 800 (400 Benign, 400 Harmful)
- **Rollouts per Sample:** 20 (Total of 16,000 trajectories)
- **Format:** Each line is a JSON object representing a single rollout.

## Cite
If you find this repository useful for your research, please consider citing the following paper:

```bibtex
@misc{shen2026turnlateresponseawaredefense,
      title={One Turn Too Late: Response-Aware Defense Against Hidden Malicious Intent in Multi-Turn Dialogue}, 
      author={Xinjie Shen and Rongzhe Wei and Peizhi Niu and Haoyu Wang and Ruihan Wu and Eli Chien and Bo Li and Pin-Yu Chen and Pan Li},
      year={2026},
      eprint={2605.05630},
      archivePrefix={arXiv},
      primaryClass={cs.CL},
      url={https://arxiv.org/abs/2605.05630}, 
}
```