Differentiated Directional Intervention A Framework for Evading LLM Safety Alignment

TL;DR

This paper reframes LLM safety alignment as a bi-dimensional activation phenomenon, separating Harm Detection and Refusal Execution into distinct directions. It introduces Differentiated Bi-Directional Intervention (DBDI), a white-box framework that offline-identifies two vectors and an optimal layer, then applies a two-step, inference-time intervention: first projecting out the Refusal Execution component and then steering away from the Harm Detection direction. Empirical results show DBDI achieves high attack success rates across multiple models and benchmarks (e.g., up to 97.88% ASR on AdvBench for Llama-2-7B) and outperforms existing jailbreaking methods, with robustness to hyperparameters and data efficiency via classifier-guided sparsification. The findings offer a precise, modular mechanism for understanding and evaluating LLM safety alignment, with implications for stronger defenses that acknowledge the underlying multi-direction nature of safety signals.

Abstract

Safety alignment instills in Large Language Models (LLMs) a critical capacity to refuse malicious requests. Prior works have modeled this refusal mechanism as a single linear direction in the activation space. We posit that this is an oversimplification that conflates two functionally distinct neural processes: the detection of harm and the execution of a refusal. In this work, we deconstruct this single representation into a Harm Detection Direction and a Refusal Execution Direction. Leveraging this fine-grained model, we introduce Differentiated Bi-Directional Intervention (DBDI), a new white-box framework that precisely neutralizes the safety alignment at critical layer. DBDI applies adaptive projection nullification to the refusal execution direction while suppressing the harm detection direction via direct steering. Extensive experiments demonstrate that DBDI outperforms prominent jailbreaking methods, achieving up to a 97.88\% attack success rate on models such as Llama-2. By providing a more granular and mechanistic framework, our work offers a new direction for the in-depth understanding of LLM safety alignment.

Figures (8)

• Figure 1: Conceptual Overview of an Activation Attack. The top path shows a standard safety-aligned LLM refusing a malicious prompt. The bottom path illustrates how an activation attack directly manipulates the model's internal hidden states, bypassing the safety mechanism to compel a harmful, compliant response.
• Figure 2: Overview of the Differentiated Bi-Directional Intervention (DBDI) Framework. The framework consists of two phases. (Top) The one-time offline calibration phase, where contrasting prompt pairs are used to extract the Refusal Execution Vector ($\vec{v}_{\text{refusal}}$) and the Harm Detection Vector ($\vec{v}_{\text{harm}}$), and to identify the optimal intervention layer, $l^*$. (Bottom) The real-time inference phase, where for a given malicious prompt, the hidden state at the critical layer $l^*$ is intercepted and manipulated according to our intervention formula, leading to a misaligned output.
• Figure 3: Impact of Sparsification Threshold on Attack Success Rate. ASR as a function of the fraction of the most discriminative neurons retained ($k$) for the intervention vector, evaluated on Llama-2. A fraction of 1.0 corresponds to no sparsification (using the raw vector). Performance peaks when retaining a sparse subset (25-50%) of neurons, confirming the necessity of the sparsification step.
• Figure 4: ASR Heatmap for Hyperparameters $\alpha$ and $\beta$. The heatmap shows the Attack Success Rate (ASR) on Llama-2-7B as a function of the intervention strength parameters $\alpha$ (x-axis) and $\beta$ (y-axis). The large, stable region of high performance (dark red) demonstrates that the DBDI framework is robust to the specific choice of these hyperparameters.
• Figure 5: Chat Standard template used for all of our models. The double quote symbols denote the template start and end.