SelfDefend: LLMs Can Defend Themselves against Jailbreaking in a Practical Manner
Xunguang Wang, Daoyuan Wu, Zhenlan Ji, Zongjie Li, Pingchuan Ma, Shuai Wang, Yingjiu Li, Yang Liu, Ning Liu, Juergen Rahmel
TL;DR
SelfDefend tackles jailbreak threats to LLM safety by deploying a shadow LLM alongside the target model to enable concurrent detection and checkpoint-based access control. It leverages two tailored prompts, $P_{direct}$ and $P_{intent}$, to identify harmful prompts or intentions with minimal latency, and extends the framework to open-source defenses via data distillation and LoRA fine-tuning on models like Llama-2. Across multiple target models and jailbreak families, SelfDefend achieves strong defense performance, reduces attack success rates to near-zero in many cases, and maintains normal-prompt utility with negligible overhead; it also demonstrates robustness to adaptive attacks and prompt injections. The work provides a practical, plug-in defense with explainable interception of harmful content and a released open data/code pipeline, enabling broad deployment and future enhancements. Overall, SelfDefend offers a scalable, dual-layer defense that can protect both open-source and closed-source LLMs from a wide spectrum of jailbreaking techniques with low latency and interpretable safeguards.
Abstract
Jailbreaking is an emerging adversarial attack that bypasses the safety alignment deployed in off-the-shelf large language models (LLMs) and has evolved into multiple categories: human-based, optimization-based, generation-based, and the recent indirect and multilingual jailbreaks. However, delivering a practical jailbreak defense is challenging because it needs to not only handle all the above jailbreak attacks but also incur negligible delays to user prompts, as well as be compatible with both open-source and closed-source LLMs. Inspired by how the traditional security concept of shadow stacks defends against memory overflow attacks, this paper introduces a generic LLM jailbreak defense framework called SelfDefend, which establishes a shadow LLM as a defense instance (in detection state) to concurrently protect the target LLM instance (in normal answering state) in the normal stack and collaborate with it for checkpoint-based access control. The effectiveness of SelfDefend builds upon our observation that existing LLMs can identify harmful prompts or intentions in user queries, which we empirically validate using mainstream GPT-3.5/4 models against major jailbreak attacks. To further improve the defense's robustness and minimize costs, we employ a data distillation approach to tune dedicated open-source defense models. When deployed to protect GPT-3.5/4, Claude, Llama-2-7b/13b, and Mistral, these models outperform seven state-of-the-art defenses and match the performance of GPT-4-based SelfDefend, with significantly lower extra delays. Further experiments show that the tuned models are robust to adaptive jailbreaks and prompt injections.