jailbreak antidote
AlphaSteer: Learning Refusal Steering with Principled Null-Space Constraint
Sheng, Leheng, Shen, Changshuo, Zhao, Weixiang, Fang, Junfeng, Liu, Xiaohao, Liang, Zhenkai, Wang, Xiang, Zhang, An, Chua, Tat-Seng
As LLMs are increasingly deployed in real-world applications, ensuring their ability to refuse malicious prompts, especially jailbreak attacks, is essential for safe and reliable use. Recently, activation steering has emerged as an effective approach for enhancing LLM safety by adding a refusal direction vector to internal activations of LLMs during inference, which will further induce the refusal behaviors of LLMs. However, indiscriminately applying activation steering fundamentally suffers from the trade-off between safety and utility, since the same steering vector can also lead to over-refusal and degraded performance on benign prompts. Although prior efforts, such as vector calibration and conditional steering, have attempted to mitigate this trade-off, their lack of theoretical grounding limits their robustness and effectiveness. To better address the trade-off between safety and utility, we present a theoretically grounded and empirically effective activation steering method called AlphaSteer. Specifically, it considers activation steering as a learnable process with two principled learning objectives: utility preservation and safety enhancement. For utility preservation, it learns to construct a nearly zero vector for steering benign data, with the null-space constraints. For safety enhancement, it learns to construct a refusal direction vector for steering malicious data, with the help of linear regression. Experiments across multiple jailbreak attacks and utility benchmarks demonstrate the effectiveness of AlphaSteer, which significantly improves the safety of LLMs without compromising general capabilities. Our codes are available at https://github.com/AlphaLab-USTC/AlphaSteer.
Jailbreak Antidote: Runtime Safety-Utility Balance via Sparse Representation Adjustment in Large Language Models
Shen, Guobin, Zhao, Dongcheng, Dong, Yiting, He, Xiang, Zeng, Yi
As large language models (LLMs) become integral to various applications, ensuring both their safety and utility is paramount. Jailbreak attacks, which manipulate LLMs into generating harmful content, pose significant challenges to this balance. Existing defenses, such as prompt engineering and safety fine-tuning, often introduce computational overhead, increase inference latency, and lack runtime flexibility. In this paper, we introduce Jailbreak Antidote, a method that enables real-time adjustment of LLM safety preferences by manipulating a sparse subset of the model's internal states during inference. By shifting the model's hidden representations along a safety direction with varying strengths, we achieve flexible control over the safety-utility balance without additional token overhead or inference delays. Our analysis reveals that safety-related information in LLMs is sparsely distributed; adjusting approximately 5% of the internal state is as effective as modifying the entire state. Extensive experiments on nine LLMs (ranging from 2 billion to 72 billion parameters), evaluated against ten jailbreak attack methods and compared with six defense strategies, validate the effectiveness and efficiency of our approach. By directly manipulating internal states during reasoning, Jailbreak Antidote offers a lightweight, scalable solution that enhances LLM safety while preserving utility, opening new possibilities for real-time safety mechanisms in widely-deployed AI systems. Large language models (LLMs) have revolutionized natural language processing, demonstrating advanced cognitive abilities and significantly impacting various aspects of daily life. They excel in instruction understanding (Ouyang et al., 2022; Chung et al., 2024), summarization (Chung et al., 2024), and complex reasoning tasks (Kojima et al., 2022; Wang & Zhou, 2024). Applications built upon LLMs are widespread, enhancing efficiency and convenience in domains such as coding assistance (Roziere et al., 2023), medical diagnostics (Singhal et al., 2023), financial analysis (Li et al., 2023), and psychological counseling (Strachan et al., 2024; Xu et al., 2024). Given their pervasive use and profound social impact, ensuring the safety and utility of LLMs has become critically important. A central challenge in deploying LLMs is balancing safety and utility.