SPIRIT: Patching Speech Language Models against Jailbreak Attacks
Amirbek Djanibekov, Nurdaulet Mukhituly, Kentaro Inui, Hanan Aldarmaki, Nils Lukas
TL;DR
This work reveals that speech language models are particularly susceptible to jailbreak attacks that exploit audio perturbations, with attacks achieving up to 100% success on certain prompts. It introduces post hoc, inference‑time defenses based on mechanistic interpretability, notably activation patching, to swap or modify vulnerable activations without retraining and with minimal impact on utility. Through extensive experiments on open‑source SLMs and diverse benchmarks, the authors show that activation patching at the language model level yields the strongest defense while preserving performance, outperforming prior denoising approaches. The findings highlight practical, low‑overhead strategies to harden SLMs against adversarial jailbreaks and point to future work on hybrid and transfer‑robust defenses.
Abstract
Speech Language Models (SLMs) enable natural interactions via spoken instructions, which more effectively capture user intent by detecting nuances in speech. The richer speech signal introduces new security risks compared to text-based models, as adversaries can better bypass safety mechanisms by injecting imperceptible noise to speech. We analyze adversarial attacks and find that SLMs are substantially more vulnerable to jailbreak attacks, which can achieve a perfect 100% attack success rate in some instances. To improve security, we propose post-hoc patching defenses used to intervene during inference by modifying the SLM's activations that improve robustness up to 99% with (i) negligible impact on utility and (ii) without any re-training. We conduct ablation studies to maximize the efficacy of our defenses and improve the utility/security trade-off, validated with large-scale benchmarks unique to SLMs.
