Latent-space Attacks for Refusal Evasion in Language Models
Summary
A new method, Controlled Latent-space Evasion (CLE), significantly enhances refusal suppression in safety-aligned language models by recasting it as a latent-space evasion attack. This approach reinterprets prior refusal-ablation techniques as minimum-confidence evasion, which only projects activations onto a decision boundary. CLE, in contrast, pushes internal representations further into the compliant region with an optimized confidence margin. The study introduces two variants: CLE-P, which reprojects every token activation, and CLE-A, which applies a single, universal perturbation computed once on the post-instruction token. CLE-A achieved state-of-the-art attack success rates, averaging 87.29% across 15 instruction-tuned, multimodal, and reasoning models, outperforming existing ablation methods by up to 78.49 points and prompt-level jailbreak attacks like GCG and SAA at a fraction of the computational cost.
Key takeaway
For AI Security Engineers developing or evaluating LLM safeguards, this research indicates that current refusal alignment mechanisms are vulnerable to sophisticated latent-space attacks. You should prioritize developing defenses that actively discourage linear separability of refusal features in latent space, rather than relying solely on ablation techniques. Consider integrating non-linear or distributed refusal representations to enhance robustness against controlled evasion.
Key insights
Refusal suppression in LLMs is a latent-space evasion problem, where controlled confidence attacks surpass prior ablation methods.
Principles
- Refusal ablation is minimum-confidence evasion.
- Controlled confidence evasion is more effective.
- Linear probes predict refusal from activations.
Method
Train layer-wise linear SVM probes on post-instruction activations. Optimize binary layer masks and non-negative margins via Bayesian Optimization to apply controlled-confidence perturbations, either projectively (CLE-P) or additively (CLE-A).
In practice
- Employ SVM probes for superior refusal prediction.
- Optimize layer windows and confidence margins.
- Apply additive perturbations for sustained evasion.
Topics
- Latent-space Attacks
- Refusal Evasion
- Language Model Safety
- Activation Steering
- Linear Probes
- Bayesian Optimization
Code references
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.