Table of Contents
Fetching ...

XBreaking: Understanding how LLMs security alignment can be broken

Marco Arazzi, Vignesh Kumar Kembu, Antonino Nocera, Vinod P

TL;DR

This work addresses security alignment vulnerabilities in large language models by introducing XBreaking, a white-box attack guided by Explainable AI that fingerprints censoring differences between a censored model $M_c$ and its uncensored counterpart $M_u$, identifies a minimal set of influential transformer layers, and surgically injects noise into the preceding layer to bypass safety constraints. The approach proceeds in three stages: (i) XAI-based internal representation profiling to detect discriminative signals, (ii) layer-wise discrimination to select a compact target set, and (iii) precision noise injection into the upstream layer to induce harmful outputs while preserving benign performance. Experiments across seven open-source LLM families show high fingerprinting accuracy, with some models achieving 100% discrimination, and demonstrate that targeted perturbations can markedly degrade censorship across categories, revealing robust security implications. The results provide both a stark demonstration of potential vulnerabilities and a baseline for developing stronger defenses against layer-wise, explainability-guided alignment breaches in practical LLM deployments.

Abstract

Large Language Models are fundamental actors in the modern IT landscape dominated by AI solutions. However, security threats associated with them might prevent their reliable adoption in critical application scenarios such as government organizations and medical institutions. For this reason, commercial LLMs typically undergo a sophisticated censoring mechanism to eliminate any harmful output they could possibly produce. These mechanisms maintain the integrity of LLM alignment by guaranteeing that the models respond safely and ethically. In response to this, attacks on LLMs are a significant threat to such protections, and many previous approaches have already demonstrated their effectiveness across diverse domains. Existing LLM attacks mostly adopt a generate-and-test strategy to craft malicious input. To improve the comprehension of censoring mechanisms and design a targeted attack, we propose an Explainable-AI solution that comparatively analyzes the behavior of censored and uncensored models to derive unique exploitable alignment patterns. Then, we propose XBreaking, a novel approach that exploits these unique patterns to break the security and alignment constraints of LLMs by targeted noise injection. Our thorough experimental campaign returns important insights about the censoring mechanisms and demonstrates the effectiveness and performance of our approach.

XBreaking: Understanding how LLMs security alignment can be broken

TL;DR

This work addresses security alignment vulnerabilities in large language models by introducing XBreaking, a white-box attack guided by Explainable AI that fingerprints censoring differences between a censored model and its uncensored counterpart , identifies a minimal set of influential transformer layers, and surgically injects noise into the preceding layer to bypass safety constraints. The approach proceeds in three stages: (i) XAI-based internal representation profiling to detect discriminative signals, (ii) layer-wise discrimination to select a compact target set, and (iii) precision noise injection into the upstream layer to induce harmful outputs while preserving benign performance. Experiments across seven open-source LLM families show high fingerprinting accuracy, with some models achieving 100% discrimination, and demonstrate that targeted perturbations can markedly degrade censorship across categories, revealing robust security implications. The results provide both a stark demonstration of potential vulnerabilities and a baseline for developing stronger defenses against layer-wise, explainability-guided alignment breaches in practical LLM deployments.

Abstract

Large Language Models are fundamental actors in the modern IT landscape dominated by AI solutions. However, security threats associated with them might prevent their reliable adoption in critical application scenarios such as government organizations and medical institutions. For this reason, commercial LLMs typically undergo a sophisticated censoring mechanism to eliminate any harmful output they could possibly produce. These mechanisms maintain the integrity of LLM alignment by guaranteeing that the models respond safely and ethically. In response to this, attacks on LLMs are a significant threat to such protections, and many previous approaches have already demonstrated their effectiveness across diverse domains. Existing LLM attacks mostly adopt a generate-and-test strategy to craft malicious input. To improve the comprehension of censoring mechanisms and design a targeted attack, we propose an Explainable-AI solution that comparatively analyzes the behavior of censored and uncensored models to derive unique exploitable alignment patterns. Then, we propose XBreaking, a novel approach that exploits these unique patterns to break the security and alignment constraints of LLMs by targeted noise injection. Our thorough experimental campaign returns important insights about the censoring mechanisms and demonstrates the effectiveness and performance of our approach.
Paper Structure (17 sections, 1 equation, 8 figures, 4 tables)

This paper contains 17 sections, 1 equation, 8 figures, 4 tables.

Figures (8)

  • Figure 1: XBreaking for LLM security alignment deviation, (1) XAI on Censored and Uncensored LLMs, (2) ML for Optimal Layer Selection and (3) Injecting Noise.
  • Figure 2: a) Average activations of layers, b) Average attentions of layer corresponding to the input to Llama 3.2-1B for censored and uncensored
  • Figure 3: SelectKBest wise grouped accuracy for models a)Llama 3.2 - 1B, b)Llama 3.1 - 8B, c)Qwen2.5 - 0.5B, d)Qwen2.5 - 3B, e)Gemma 2B, f)Gemma 7B, g)Mistral-7B-v0.3
  • Figure 4: Elbow method to find the optimal number of layers for the model a)Llama 3.2 - 1B, b)Llama 3.1 - 8B, c)Qwen2.5 - 0.5B, d)Qwen2.5 - 3B, e)Gemma 2B, f)Gemma 7B, g)Mistral-7B-v0.3
  • Figure 5: Model fingerprinting accuracy in percentage for a)Llama 3.2 - 1B, b)Llama 3.1 - 8B, c)Qwen2.5 - 0.5B, d)Qwen2.5 - 3B, e)Gemma 2B, f)Gemma 7B, g)Mistral-7B-v0.3
  • ...and 3 more figures