Adversarial Suffix Filtering: a Defense Pipeline for LLMs
David Khachaturov, Robert Mullins
TL;DR
Prompt jailbreaks via adversarial suffixes threaten LLM safety in deployment. The authors propose Adversarial Suffix Filtering (ASF), a model-agnostic input sanitizer that segments prompts, classifies segments as benign or suffix, and removes suspected adversarial slices before passing the prompt to the aligned model. Trained on a large synthetic suffix corpus and Alpaca prompts, ASF achieves F1 ~98.4–98.5% on segment-level classification and reduces attack success rates to below ~4% across multiple LLMs, while incurring minimal cost to benign performance. ASF is lightweight, with about 387M parameters across two small models and ~1.7 GB extra GPU memory, enabling deployment in secure enclaves or front-end pipelines. Limitations include segmentation perfection and suffix-focused scope; future work covers multilingual and non-suffix prompt attacks.
Abstract
Large Language Models (LLMs) are increasingly embedded in autonomous systems and public-facing environments, yet they remain susceptible to jailbreak vulnerabilities that may undermine their security and trustworthiness. Adversarial suffixes are considered to be the current state-of-the-art jailbreak, consistently outperforming simpler methods and frequently succeeding even in black-box settings. Existing defenses rely on access to the internal architecture of models limiting diverse deployment, increase memory and computation footprints dramatically, or can be bypassed with simple prompt engineering methods. We introduce $\textbf{Adversarial Suffix Filtering}$ (ASF), a lightweight novel model-agnostic defensive pipeline designed to protect LLMs against adversarial suffix attacks. ASF functions as an input preprocessor and sanitizer that detects and filters adversarially crafted suffixes in prompts, effectively neutralizing malicious injections. We demonstrate that ASF provides comprehensive defense capabilities across both black-box and white-box attack settings, reducing the attack efficacy of state-of-the-art adversarial suffix generation methods to below 4%, while only minimally affecting the target model's capabilities in non-adversarial scenarios.
