This work addresses the limitations of existing token-level adversarial attacks against large language models (LLMs), which often suffer from poor convergence, unnatural prompts, and weak cross-model generalization when bypassing alignment mechanisms. To overcome these challenges, we propose Semantic Representation Attack (SRA), a novel framework that shifts the adversarial objective from exact textual matching to malicious semantic representation, enabling white-box convergence and black-box transferability while preserving semantic consistency. We establish, for the first time, a theoretical connection between semantic consistency and attack convergence, derive a cross-model semantic generalization bound, and introduce a discrete prompt generation mechanism based on Semantic Representation Heuristic Search (SRHS) to ensure prompt readability and structural coherence. Experiments demonstrate that SRA achieves an average attack success rate of 99.71% across 26 open-source LLMs, exhibiting exceptional transferability and stealthiness.

Large Language Models (LLMs) increasingly employ alignment techniques to prevent harmful outputs. Despite these safeguards, attackers can circumvent them by crafting adversarial prompts. Predominant token-level optimization methods primarily rely on optimizing for exact affirmative templates (e.g., ``\textit{Sure, here is...}''). However, these paradigms frequently encounter bottlenecks such as suboptimal convergence, compromised prompt naturalness, and poor cross-model generalization. To address these limitations, we propose Semantic Representation Attack (SRA), a novel LLM-agnostic paradigm that fundamentally reconceptualizes adversarial objectives from exact textual targeting to malicious semantic representations. Theoretically, we establish the semantic Coherence-Convergence Relationship and derive a Cross-Model Semantic Generalization bound, proving that maintaining semantic coherence guarantees both white-box semantic convergence and black-box transferability. Technically, we operationalize this framework via the Semantic Representation Heuristic Search (SRHS) algorithm, which preserves interpretability and structural coherence of the adversarial prompts during incremental discrete token chunk expansion. Extensive evaluations demonstrate that our framework achieves a 99.71% average attack success rate across 26 open-source LLMs, with strong transferability and stealth.