Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Feature-Aware Malicious Output Detection and Mitigation

Weilong Dong, Peiguang Li, Yu Tian, Xinyi Zeng, Fengdi Li, Sirui Wang

TL;DR

A feature-aware method for harmful response rejection (FMM), which detects the presence of malicious features within the model's feature space and adaptively adjusts the model's rejection mechanism.

Abstract

The rapid advancement of large language models (LLMs) has brought significant benefits to various domains while introducing substantial risks. Despite being fine-tuned through reinforcement learning, LLMs lack the capability to discern malicious content, limiting their defense against jailbreak. To address these safety concerns, we propose a feature-aware method for harmful response rejection (FMM), which detects the presence of malicious features within the model's feature space and adaptively adjusts the model's rejection mechanism. By employing a simple discriminator, we detect potential malicious traits during the decoding phase. Upon detecting features indicative of toxic tokens, FMM regenerates the current token. By employing activation patching, an additional rejection vector is incorporated during the subsequent token generation, steering the model towards a refusal response. Experimental results demonstrate the effectiveness of our approach across multiple language models and diverse attack techniques, while crucially maintaining the models' standard generation capabilities.

Feature-Aware Malicious Output Detection and Mitigation

TL;DR

A feature-aware method for harmful response rejection (FMM), which detects the presence of malicious features within the model's feature space and adaptively adjusts the model's rejection mechanism.

Abstract

The rapid advancement of large language models (LLMs) has brought significant benefits to various domains while introducing substantial risks. Despite being fine-tuned through reinforcement learning, LLMs lack the capability to discern malicious content, limiting their defense against jailbreak. To address these safety concerns, we propose a feature-aware method for harmful response rejection (FMM), which detects the presence of malicious features within the model's feature space and adaptively adjusts the model's rejection mechanism. By employing a simple discriminator, we detect potential malicious traits during the decoding phase. Upon detecting features indicative of toxic tokens, FMM regenerates the current token. By employing activation patching, an additional rejection vector is incorporated during the subsequent token generation, steering the model towards a refusal response. Experimental results demonstrate the effectiveness of our approach across multiple language models and diverse attack techniques, while crucially maintaining the models' standard generation capabilities.

Paper Structure

This paper contains 21 sections, 2 equations, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Jailbreak Attacks
  4. Defensive Mechanism
  5. Methods
  6. Malicious Output Detection
  7. Refusal Response Triggering
  8. Experiments
  9. Datasets and Metrics
  10. Attack Methods
  11. Baselines
  12. Victim Models
  13. Layers to Intervene
  14. Experimental Results
  15. Malicious Outputs are Mitigated
  16. ...and 6 more sections

Figures (3)

  • Figure 1: t-SNE results of hidden states.
  • Figure 2: The pipeline of FMM. We first train a detector and collected intervention vectors. During the decoding process, once detect the generation of malicious token, the intervention vector is used to induce the model to refuse.
  • Figure 3: Varying the layers to steer.