LatentBreak: Jailbreaking Large Language Models through Latent Space Feedback

TL;DR

This paper introduces LatentBreak (LatB), a white-box jailbreak that evades perplexity-based detectors by performing word-level substitutions guided by latent-space feedback, rather than adding long adversarial text. LatB maintains the semantic intent of harmful prompts while shifting the model’s internal representations toward regions associated with harmless content, quantified via a latent-space centroid $\boldsymbol{\mu}$ and distances $d=\|\boldsymbol{z}^{(l)}(\boldsymbol{p})-\boldsymbol{\mu}\|_2$. The approach achieves high attack success rates across a wide range of models and defenses, outperforming traditional suffix/template attacks and remaining robust under MaxPPL detectors and resilience defenses like R2D2 and RR. The work highlights a latent-space–driven weakness in safety alignment and underlines the need for safer evaluation and defense mechanisms that do not rely solely on text-level perplexity or fluent text alone. Overall, LatB advances understanding of jailbreak dynamics in LLMs and motivates future research into more robust alignment, evaluation, and defense strategies.

Abstract

Jailbreaks are adversarial attacks designed to bypass the built-in safety mechanisms of large language models. Automated jailbreaks typically optimize an adversarial suffix or adapt long prompt templates by forcing the model to generate the initial part of a restricted or harmful response. In this work, we show that existing jailbreak attacks that leverage such mechanisms to unlock the model response can be detected by a straightforward perplexity-based filtering on the input prompt. To overcome this issue, we propose LatentBreak, a white-box jailbreak attack that generates natural adversarial prompts with low perplexity capable of evading such defenses. LatentBreak substitutes words in the input prompt with semantically-equivalent ones, preserving the initial intent of the prompt, instead of adding high-perplexity adversarial suffixes or long templates. These words are chosen by minimizing the distance in the latent space between the representation of the adversarial prompt and that of harmless requests. Our extensive evaluation shows that LatentBreak leads to shorter and low-perplexity prompts, thus outperforming competing jailbreak algorithms against perplexity-based filters on multiple safety-aligned models.

Figures (29)

• Figure 1: The LatentBreak approach and its results against perplexity-based detectors. In (a) we depict a latent-space representation of LatentBreak, shifting an initial harmful prompt (red dot) towards the harmless prompts centroid (blue dot), and resulting in a jailbreak with a few words substituted (violet dot). In (b) instead, we show the ROC curves of LatB and state-of-the-art attacks against a perplexity-based detector on $159$ standard behaviors from HarmBenchmazeika2024harmbenchstandardizedevaluationframework and $600$ harmless prompts. While competing attacks typically top the curve (i.e., all jailbreaks get easily detected), LatB is substantially less detected, comparable to the original prompt with no substitutions (None).
• Figure 2: A prompt crafted by LatentBreak. By substituting few synonims, our attack algorithm enables jailbreaking the model while preserving the semantic of the original prompt.
• Figure 3: ROC curves of LatB and competing attacks against Llama3-8B-RR-based MaxPPL$_{\boldsymbol{10}}$ detector on $159$ standard behaviors from HarmBenchmazeika2024harmbenchstandardizedevaluationframework and $600$ harmless prompts.
• Figure 4: Intent Judge ($\mathcal{J}_{intent}$) system prompt.
• Figure 5: Substitution Model ($\mathcal{S}_M$) system prompt.