SafeInt: Shielding Large Language Models from Jailbreak Attacks via Safety-Aware Representation Intervention

TL;DR

SafeInt addresses jailbreak safety in LLMs by introducing a safety-aware representation intervention that relocates jailbreak-related representations into the model's rejection region. It combines a low-rank subspace relocation, distribution alignment via a classifier and contrastive learning, and a reconstruction constraint to minimize collateral impact, with a final objective $\mathcal{L}_{total} = \alpha \sum_{l \in \mathbb{L}^a} (\mathcal{L}_{cls}^{(l)} + \mathcal{L}_{ct}^{(l)}) + \beta \mathcal{L}_{recon}$ and relocation $\widetilde{\mathbf{h}}^{(\mathcal{I})} = \mathbf{h}^{(\mathcal{I})} + \mathbf{U}^\top \left( f_{\boldsymbol{\theta}}(\mathbf{h}^{(\mathcal{I})}) - \mathbf{U}\mathbf{h}^{(\mathcal{I})} \right)$. Empirically, SafeInt achieves state-of-the-art defense across six jailbreak attacks on two open-source LLMs, while largely preserving downstream utility and demonstrating robustness to adaptive real-time attacks. The approach enables efficient, inference-integrated safeguards by operating within a protected subspace without extensive prompt engineering or decoding overhead. Overall, SafeInt provides a practical and scalable safety layer for real-world LLM deployments.

Abstract

With the widespread real-world deployment of large language models (LLMs), ensuring their behavior complies with safety standards has become crucial. Jailbreak attacks exploit vulnerabilities in LLMs to induce undesirable behavior, posing a significant threat to LLM safety. Previous defenses often fail to achieve both effectiveness and efficiency simultaneously. Defenses from a representation perspective offer new insights, but existing interventions cannot dynamically adjust representations based on the harmfulness of the queries. To address this limitation, we propose SafeIntervention (SafeInt), a novel defense method that shields LLMs from jailbreak attacks through safety-aware representation intervention. Built on our analysis of the representations of jailbreak samples, the core idea of SafeInt is to relocate jailbreak-related representations into the rejection region. This is achieved by intervening in the representation distributions of jailbreak samples to align them with those of unsafe samples. We conduct comprehensive experiments covering six jailbreak attacks, two jailbreak datasets, and two utility benchmarks. Experimental results demonstrate that SafeInt outperforms all baselines in defending LLMs against jailbreak attacks while largely maintaining utility. Additionally, we evaluate SafeInt against adaptive attacks and verify its effectiveness in mitigating real-time attacks.

Figures (4)

• Figure 1: Test accuracy of classifiers at different layers of LLMs, with the test set containing only GCG jailbreak samples.
• Figure 2: Test accuracy of classifiers on a test set containing jailbreak samples from GCG, AutoDAN, and DeepInception.
• Figure 3: The schematic of SafeInt. We apply the intervention (illustrated by the blue shield) at a specific layer and perform alignment in the subsequent layers. The distribution of jailbreak sample representations is adjusted to align with that of unsafe samples while minimizing shifts in the representations of safe and unsafe samples. With the original representation distribution, the LLM is successfully jailbroken and generates harmful content. After alignment, the LLM safely rejects the jailbreak instruction.
• Figure 4: Analysis of the intervention layer and alignment layer range.