Smoothed Embeddings for Robust Language Models
Ryo Hase, Md Rafi Ur Rashid, Ashley Lewis, Jing Liu, Toshiaki Koike-Akino, Kieran Parsons, Ye Wang
TL;DR
This work tackles jailbreaking vulnerabilities in large language models by introducing RESTA, a defense that perturbs user-content embeddings with multiple directional noise schemes and aggregates tokens during autoregressive generation. By performing token aggregation across $k$ perturbed samples and applying a prefix-smoothing strategy, RESTA disrupts adversarial perturbations while avoiding auxiliary models, achieving favorable robustness-utility tradeoffs compared with baselines. Empirical results on Vicuna-13B and Llama-2-7B against GCG, PAIR, and RS attacks show substantial reductions in attack success rates with manageable decreases in utility on AlpacaEval and IFEval, and an ablation confirms embedding-space perturbation is essential. The approach offers a practical, scalable component for multi-layer defenses in trusted AI systems, with future work focusing on broader comparisons and integration with guard models for enhanced safety.
Abstract
Improving the safety and reliability of large language models (LLMs) is a crucial aspect of realizing trustworthy AI systems. Although alignment methods aim to suppress harmful content generation, LLMs are often still vulnerable to jailbreaking attacks that employ adversarial inputs that subvert alignment and induce harmful outputs. We propose the Randomized Embedding Smoothing and Token Aggregation (RESTA) defense, which adds random noise to the embedding vectors and performs aggregation during the generation of each output token, with the aim of better preserving semantic information. Our experiments demonstrate that our approach achieves superior robustness versus utility tradeoffs compared to the baseline defenses.