Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DELMAN: Dynamic Defense Against Large Language Model Jailbreaking with Model Editing

Yi Wang, Fenghua Weng, Sibei Yang, Zhan Qin, Minlie Huang, Wenjie Wang

TL;DR

DELMAN addresses jailbreak vulnerabilities in deployed LLMs by enabling dynamic, post-deployment defense through direct editing of a compact set of parameters. It constructs a direct k^*-to-v^* link by identifying harmful token representations at a targeted layer and learning a safe response vector, while employing KL-divergence regularization to preserve benign utility. The method updates the down-weight matrices in a small set of MLP layers via a closed-form least-squares solution and distributes edits across multiple layers to maintain stability. Empirical results show DELMAN substantially reduces jailbreak ASR across diverse models and attack types with minimal utility loss, and it demonstrates transferability across datasets and the feasibility of consecutive edits, highlighting practical potential for continual safety alignment in deployed LLMs.

Abstract

Large Language Models (LLMs) are widely applied in decision making, but their deployment is threatened by jailbreak attacks, where adversarial users manipulate model behavior to bypass safety measures. Existing defense mechanisms, such as safety fine-tuning and model editing, either require extensive parameter modifications or lack precision, leading to performance degradation on general tasks, which is unsuitable to post-deployment safety alignment. To address these challenges, we propose DELMAN (Dynamic Editing for LLMs JAilbreak DefeNse), a novel approach leveraging direct model editing for precise, dynamic protection against jailbreak attacks. DELMAN directly updates a minimal set of relevant parameters to neutralize harmful behaviors while preserving the model's utility. To avoid triggering a safe response in benign context, we incorporate KL-divergence regularization to ensure the updated model remains consistent with the original model when processing benign queries. Experimental results demonstrate that DELMAN outperforms baseline methods in mitigating jailbreak attacks while preserving the model's utility, and adapts seamlessly to new attack instances, providing a practical and efficient solution for post-deployment model protection.

DELMAN: Dynamic Defense Against Large Language Model Jailbreaking with Model Editing

TL;DR

DELMAN addresses jailbreak vulnerabilities in deployed LLMs by enabling dynamic, post-deployment defense through direct editing of a compact set of parameters. It constructs a direct k^*-to-v^* link by identifying harmful token representations at a targeted layer and learning a safe response vector, while employing KL-divergence regularization to preserve benign utility. The method updates the down-weight matrices in a small set of MLP layers via a closed-form least-squares solution and distributes edits across multiple layers to maintain stability. Empirical results show DELMAN substantially reduces jailbreak ASR across diverse models and attack types with minimal utility loss, and it demonstrates transferability across datasets and the feasibility of consecutive edits, highlighting practical potential for continual safety alignment in deployed LLMs.

Abstract

Large Language Models (LLMs) are widely applied in decision making, but their deployment is threatened by jailbreak attacks, where adversarial users manipulate model behavior to bypass safety measures. Existing defense mechanisms, such as safety fine-tuning and model editing, either require extensive parameter modifications or lack precision, leading to performance degradation on general tasks, which is unsuitable to post-deployment safety alignment. To address these challenges, we propose DELMAN (Dynamic Editing for LLMs JAilbreak DefeNse), a novel approach leveraging direct model editing for precise, dynamic protection against jailbreak attacks. DELMAN directly updates a minimal set of relevant parameters to neutralize harmful behaviors while preserving the model's utility. To avoid triggering a safe response in benign context, we incorporate KL-divergence regularization to ensure the updated model remains consistent with the original model when processing benign queries. Experimental results demonstrate that DELMAN outperforms baseline methods in mitigating jailbreak attacks while preserving the model's utility, and adapts seamlessly to new attack instances, providing a practical and efficient solution for post-deployment model protection.

Paper Structure

This paper contains 39 sections, 10 equations, 11 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Model Editing
  4. Existing Defense to Jailbreak Attacks
  5. Model Editing as a Jailbreak Defense
  6. Methods
  7. Identify Key Representation $k^*$
  8. Estimate $v^*$ of Safe Response $Y_{target}$
  9. Weight Update of $W_{down}^{l^*}$
  10. Experiments
  11. Experiment Setup
  12. Effectiveness of DELMAN
  13. Edit According to Harmful Behavior
  14. Understanding the DELMAN Transferability Across Datasets and Behaviors
  15. Consecutive Edits with DELMAN
  16. ...and 24 more sections

Figures (11)

  • Figure 1: Upper: The three phases of safety alignment during LLMs production. Lower: LLMs editing as a dynamic defense mechanism during the deployment stage.
  • Figure 2: DELMAN consists of five steps: 1. Extract harmful tokens from the query; 2. Random context sequence generation; ‌3. Calculate $k^*$ of harmful tokens; 4. Estimate $v^*$ of safe response $Y_{target}$; 5. Update $W^{l^*}_{down}$ with $k^*$, $v^*$.
  • Figure 3: ASR across four datasets (HB, AB, JBB, and MI) for LLMs under three attack methods: GCG, AutoDAN, and PAIR. Each bar group compares five defense strategies --- Original Model, LoRA, SafeDecoding, LED, and DELMAN.
  • Figure 4: Comparison of MT-Bench sub-scores across eight skill dimensions between different defense methods on Vicuna-7B (left) and Llama2-7B (right).
  • Figure 5: ASR for Vicuna-7B after applying single-behavior DELMAN against GCG and AutoDAN attacks.
  • ...and 6 more figures