Steering in the Shadows: Causal Amplification for Activation Space Attacks in Large Language Models

TL;DR

This work reveals a covert activation-space vulnerability in decoder-only LLMs by linking BOS attention sinks and compression valleys to a high-gain frontier for behavioral control. It formalizes the Causal Amplification Effect (CAE) and introduces Sensitivity-Scaled Steering (SSS), a two-stage white-box attack that seeds a BOS perturbation and adaptively reinforces it using local Jacobian sensitivity, enabling progressive behavioral drift while preserving coherence. Across four open-weight models and four behavioral axes, SSS achieves strong shifts in evil, hallucination, sycophancy, and sentiment with minimal impact on general abilities, outperforming prior activation-steering baselines in efficacy and stealth. The results underscore a concrete activation-space security risk and motivate defenses such as introspection-based monitoring and activation-space safeguards beyond traditional prompts or weight-based defenses.

Abstract

Modern large language models (LLMs) are typically secured by auditing data, prompts, and refusal policies, while treating the forward pass as an implementation detail. We show that intermediate activations in decoder-only LLMs form a vulnerable attack surface for behavioral control. Building on recent findings on attention sinks and compression valleys, we identify a high-gain region in the residual stream where small, well-aligned perturbations are causally amplified along the autoregressive trajectory--a Causal Amplification Effect (CAE). We exploit this as an attack surface via Sensitivity-Scaled Steering (SSS), a progressive activation-level attack that combines beginning-of-sequence (BOS) anchoring with sensitivity-based reinforcement to focus a limited perturbation budget on the most vulnerable layers and tokens. We show that across multiple open-weight models and four behavioral axes, SSS induces large shifts in evil, hallucination, sycophancy, and sentiment while preserving high coherence and general capabilities, turning activation steering into a concrete security concern for white-box and supply-chain LLM deployments.

Figures (9)

• Figure 1: Overview of the Sensitivity-Scaled Steering (SSS) method. SSS combines (A) BOS Anchoring, where a single BOS-seed perturbation is injected and naturally amplified by massive BOS activation in the compression valley, and (B) Adaptive Reinforcement, where sensitivity- and $\gamma$-scaled micro-injections are applied selectively across token positions during generation. A steering direction $v_{\text{steer}}$ is extracted using constructive contrastive pairs and PCA/DiM at the optimal steering layer $l^*$. (C) SSS achieves strong behavioral shifts while preserving coherence, outperforming BOS-only and constant vector baselines.
• Figure 2: Layer-wise steering performance of the DeepSeek-R1-7B model across four behavioral categories. The $\Delta \mathrm{S}$ measures the magnitude of behavioral shift induced by activation injection at each layer. Steerability increases in the lower-to-mid layers, peaks around layers 15–17, and decreases thereafter.
• Figure 4: Projection trajectories for the BOS-only, Adaptive-only, and Full SSS variants on the Beshift dataset. BOS-only shows limited or unstable shift depending on the coefficient, Adaptive-only produces strong but oscillatory drift, while Full SSS yields the most stable and consistent progression toward the target behavior.
• Figure 5: Layer-wise performance across different models. Each plot shows the behavior shift $\Delta S$ as a function of the injection layer index.
• Figure : (a) Beshift