Large Language Models (LLMs) have demonstrated exceptional capabilities across diverse tasks, driving the development and widespread adoption of LLM-as-a-Judge systems for automated evaluation, including red teaming and benchmarking. However, these systems are susceptible to adversarial attacks that can manipulate evaluation outcomes, raising critical concerns about their robustness and trustworthiness. Existing evaluation methods for LLM-based judges are often fragmented and lack a unified framework for comprehensive robustness assessment. Furthermore, the impact of prompt template design and model selection on judge robustness has rarely been explored, and their performance in real-world deployments remains largely unverified. To address these gaps, we introduce RobustJudge, a fully automated and scalable framework designed to systematically evaluate the robustness of LLM-as-a-Judge systems. Specifically, RobustJudge investigates the effectiveness of 15 attack methods and 7 defense strategies across 12 models (RQ1), examines the impact of prompt template design and model selection (RQ2), and evaluates the security of real-world deployments (RQ3). Our study yields three key findings: (1) LLM-as-a-Judge systems are highly vulnerable to attacks such as PAIR and combined attacks, while defense mechanisms such as re-tokenization and LLM-based detectors can provide enhanced protection; (2) robustness varies substantially across prompt templates (up to 40%); (3) deploying RobustJudge on Alibaba's PAI platform uncovers previously undiscovered vulnerabilities. These results offer practical insights for building trustworthy LLM-as-a-Judge systems.

翻译：大型语言模型（LLMs）已在多样化任务中展现出卓越能力，推动了LLM-as-a-Judge系统在自动化评估（包括红队测试与基准测试）中的开发与广泛应用。然而，这些系统易受对抗性攻击影响，可能操纵评估结果，引发了对其鲁棒性与可信度的严重关切。现有针对基于LLM的评判系统的评估方法往往零散且缺乏统一的鲁棒性综合评估框架。此外，提示模板设计与模型选择对评判系统鲁棒性的影响鲜有研究，其在实际部署中的性能也大多未经验证。为填补这些空白，我们提出了RobustJudge——一个全自动、可扩展的框架，旨在系统评估LLM-as-a-Judge系统的鲁棒性。具体而言，RobustJudge在12个模型上研究了15种攻击方法与7种防御策略的有效性（研究问题1），考察了提示模板设计与模型选择的影响（研究问题2），并评估了实际部署场景的安全性（研究问题3）。我们的研究得出三个关键发现：（1）LLM-as-a-Judge系统对PAIR等攻击及组合攻击高度脆弱，而重标记化与基于LLM的检测器等防御机制可提供增强保护；（2）不同提示模板间的鲁棒性差异显著（最高达40%）；（3）在阿里巴巴PAI平台部署RobustJudge揭示了此前未发现的漏洞。这些结果为构建可信的LLM-as-a-Judge系统提供了实用洞见。