AlignTree: Efficient Defense Against LLM Jailbreak Attacks
Gil Goren, Shahar Katz, Lior Wolf
TL;DR
AlignTree addresses jailbreaking in LLMs by an in-process defense that leverages base activations and a dual-signal classifier. It fuses a linear refusal direction with non-linear SVM-based signals into a Random Forest to detect harmful prompts without extra prompts or auxiliary models. The approach achieves state-of-the-art reductions in attack success rate while maintaining low refusal rates and minimal overhead across diverse models and benchmarks, and it withstands adaptive white-box attacks. This work advances practical LLM safety by enabling real-time, activation-based alignment without significant computational burden.
Abstract
Large Language Models (LLMs) are vulnerable to adversarial attacks that bypass safety guidelines and generate harmful content. Mitigating these vulnerabilities requires defense mechanisms that are both robust and computationally efficient. However, existing approaches either incur high computational costs or rely on lightweight defenses that can be easily circumvented, rendering them impractical for real-world LLM-based systems. In this work, we introduce the AlignTree defense, which enhances model alignment while maintaining minimal computational overhead. AlignTree monitors LLM activations during generation and detects misaligned behavior using an efficient random forest classifier. This classifier operates on two signals: (i) the refusal direction -- a linear representation that activates on misaligned prompts, and (ii) an SVM-based signal that captures non-linear features associated with harmful content. Unlike previous methods, AlignTree does not require additional prompts or auxiliary guard models. Through extensive experiments, we demonstrate the efficiency and robustness of AlignTree across multiple LLMs and benchmarks.