You Can't Eat Your Cake and Have It Too: The Performance Degradation of LLMs with Jailbreak Defense
Wuyuao Mai, Geng Hong, Pei Chen, Xudong Pan, Baojun Liu, Yuan Zhang, Haixin Duan, Min Yang
TL;DR
This work addresses the safety-utility trade-off in large language models under jailbreak defenses. It introduces USEBench, a three-part benchmark (U-Bench for utility, S-Bench for safety, and E-Bench for exaggerated-safety) and USEIndex, a composite end-to-end metric, to evaluate defense strategies across seven mainstream LLMs in an end-to-end fashion. Key findings show that while defenses can elevate safety, they frequently degrade utility and usability, with effects varying across models and defense stages; model fine-tuning offers the most balanced trade-off, yet even it reduces safety in some cases. The study highlights the practical implications for developers and practitioners: defense decisions should balance safety gains against usability costs, and future work should pursue more efficient defenses that preserve legitimate user experience.
Abstract
With the rise of generative large language models (LLMs) like LLaMA and ChatGPT, these models have significantly transformed daily life and work by providing advanced insights. However, as jailbreak attacks continue to circumvent built-in safety mechanisms, exploiting carefully crafted scenarios or tokens, the safety risks of LLMs have come into focus. While numerous defense strategies--such as prompt detection, modification, and model fine-tuning--have been proposed to counter these attacks, a critical question arises: do these defenses compromise the utility and usability of LLMs for legitimate users? Existing research predominantly focuses on the effectiveness of defense strategies without thoroughly examining their impact on performance, leaving a gap in understanding the trade-offs between LLM safety and performance. Our research addresses this gap by conducting a comprehensive study on the utility degradation, safety elevation, and exaggerated-safety escalation of LLMs with jailbreak defense strategies. We propose USEBench, a novel benchmark designed to evaluate these aspects, along with USEIndex, a comprehensive metric for assessing overall model performance. Through experiments on seven state-of-the-art LLMs, we found that mainstream jailbreak defenses fail to ensure both safety and performance simultaneously. Although model-finetuning performs the best overall, their effectiveness varies across LLMs. Furthermore, vertical comparisons reveal that developers commonly prioritize performance over safety when iterating or fine-tuning their LLMs.
