Advancing LLM Safe Alignment with Safety Representation Ranking

TL;DR

The paper introduces Safety Representation Ranking (SRR), a framework that uses LLM internal representations to rank candidate responses by safety without modifying the model's decoding. It identifies safety-sensitive features through contrastive training on safe vs. harmful outputs and employs a lightweight Transformer ranker to score instruction-response pairs via similarity in a joint embedding space. Evaluations across Harmbench, SorryBench, and JailbreakBench with multiple base models show substantial improvements in safety ranking and robust cross-dataset generalization, with extensions demonstrating potential for privacy and fairness alignment while preserving benign performance. In real-world deployments, SRR acts as a lightweight safeguard module that reduces harmful outputs under attack with negligible impact on natural task performance and minimal overhead.

Abstract

The rapid advancement of large language models (LLMs) has demonstrated milestone success in a variety of tasks, yet their potential for generating harmful content has raised significant safety concerns. Existing safety evaluation approaches typically operate directly on textual responses, overlooking the rich information embedded in the model's internal representations. In this paper, we propose Safety Representation Ranking (SRR), a listwise ranking framework that selects safe responses using hidden states from the LLM itself. SRR encodes both instructions and candidate completions using intermediate transformer representations and ranks candidates via a lightweight similarity-based scorer. Our approach directly leverages internal model states and supervision at the list level to capture subtle safety signals. Experiments across multiple benchmarks show that SRR significantly improves robustness to adversarial prompts. Our code will be available upon publication.