Latent-space Attacks for Refusal Evasion in Language Models

· Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

A new method, Controlled Latent-space Evasion (CLE), significantly enhances refusal suppression in safety-aligned language models by recasting it as a latent-space evasion attack. This approach reinterprets prior refusal-ablation techniques as minimum-confidence evasion, which only projects activations onto a decision boundary. CLE, in contrast, pushes internal representations further into the compliant region with an optimized confidence margin. The study introduces two variants: CLE-P, which reprojects every token activation, and CLE-A, which applies a single, universal perturbation computed once on the post-instruction token. CLE-A achieved state-of-the-art attack success rates, averaging 87.29% across 15 instruction-tuned, multimodal, and reasoning models, outperforming existing ablation methods by up to 78.49 points and prompt-level jailbreak attacks like GCG and SAA at a fraction of the computational cost.

Key takeaway

For AI Security Engineers developing or evaluating LLM safeguards, this research indicates that current refusal alignment mechanisms are vulnerable to sophisticated latent-space attacks. You should prioritize developing defenses that actively discourage linear separability of refusal features in latent space, rather than relying solely on ablation techniques. Consider integrating non-linear or distributed refusal representations to enhance robustness against controlled evasion.

Key insights

Refusal suppression in LLMs is a latent-space evasion problem, where controlled confidence attacks surpass prior ablation methods.

Principles

Method

Train layer-wise linear SVM probes on post-instruction activations. Optimize binary layer masks and non-negative margins via Bayesian Optimization to apply controlled-confidence perturbations, either projectively (CLE-P) or additively (CLE-A).

In practice

Topics

Code references

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.