Table of Contents
Fetching ...

GateBreaker: Gate-Guided Attacks on Mixture-of-Expert LLMs

Lichao Wu, Sasha Behrouzi, Mohamadreza Rostami, Stjepan Picek, Ahmad-Reza Sadeghi

TL;DR

Mixture-of-Experts LLMs enable scalable, sparse computation but concentrate safety alignment in narrow neural subspaces. GateBreaker presents a training-free, inference-time three-stage attack—gate-level profiling, expert-level localization, and targeted safety removal—that reveals and disables safety structures with minimal utility loss. Across eight open MoE LLMs and five MoE Vision-Language Models, the method raises average ASR to 64.9% and 60.9% respectively, with strong cross-model transfer of safety neurons. The work exposes a critical MoE-specific safety vulnerability and motivates defenses that distribute safety across many experts and strengthen safety monitoring at inference time.

Abstract

Mixture-of-Experts (MoE) architectures have advanced the scaling of Large Language Models (LLMs) by activating only a sparse subset of parameters per input, enabling state-of-the-art performance with reduced computational cost. As these models are increasingly deployed in critical domains, understanding and strengthening their alignment mechanisms is essential to prevent harmful outputs. However, existing LLM safety research has focused almost exclusively on dense architectures, leaving the unique safety properties of MoEs largely unexamined. The modular, sparsely-activated design of MoEs suggests that safety mechanisms may operate differently than in dense models, raising questions about their robustness. In this paper, we present GateBreaker, the first training-free, lightweight, and architecture-agnostic attack framework that compromises the safety alignment of modern MoE LLMs at inference time. GateBreaker operates in three stages: (i) gate-level profiling, which identifies safety experts disproportionately routed on harmful inputs, (ii) expert-level localization, which localizes the safety structure within safety experts, and (iii) targeted safety removal, which disables the identified safety structure to compromise the safety alignment. Our study shows that MoE safety concentrates within a small subset of neurons coordinated by sparse routing. Selective disabling of these neurons, approximately 3% of neurons in the targeted expert layers, significantly increases the averaged attack success rate (ASR) from 7.4% to 64.9% against the eight latest aligned MoE LLMs with limited utility degradation. These safety neurons transfer across models within the same family, raising ASR from 17.9% to 67.7% with one-shot transfer attack. Furthermore, GateBreaker generalizes to five MoE vision language models (VLMs) with 60.9% ASR on unsafe image inputs.

GateBreaker: Gate-Guided Attacks on Mixture-of-Expert LLMs

TL;DR

Mixture-of-Experts LLMs enable scalable, sparse computation but concentrate safety alignment in narrow neural subspaces. GateBreaker presents a training-free, inference-time three-stage attack—gate-level profiling, expert-level localization, and targeted safety removal—that reveals and disables safety structures with minimal utility loss. Across eight open MoE LLMs and five MoE Vision-Language Models, the method raises average ASR to 64.9% and 60.9% respectively, with strong cross-model transfer of safety neurons. The work exposes a critical MoE-specific safety vulnerability and motivates defenses that distribute safety across many experts and strengthen safety monitoring at inference time.

Abstract

Mixture-of-Experts (MoE) architectures have advanced the scaling of Large Language Models (LLMs) by activating only a sparse subset of parameters per input, enabling state-of-the-art performance with reduced computational cost. As these models are increasingly deployed in critical domains, understanding and strengthening their alignment mechanisms is essential to prevent harmful outputs. However, existing LLM safety research has focused almost exclusively on dense architectures, leaving the unique safety properties of MoEs largely unexamined. The modular, sparsely-activated design of MoEs suggests that safety mechanisms may operate differently than in dense models, raising questions about their robustness. In this paper, we present GateBreaker, the first training-free, lightweight, and architecture-agnostic attack framework that compromises the safety alignment of modern MoE LLMs at inference time. GateBreaker operates in three stages: (i) gate-level profiling, which identifies safety experts disproportionately routed on harmful inputs, (ii) expert-level localization, which localizes the safety structure within safety experts, and (iii) targeted safety removal, which disables the identified safety structure to compromise the safety alignment. Our study shows that MoE safety concentrates within a small subset of neurons coordinated by sparse routing. Selective disabling of these neurons, approximately 3% of neurons in the targeted expert layers, significantly increases the averaged attack success rate (ASR) from 7.4% to 64.9% against the eight latest aligned MoE LLMs with limited utility degradation. These safety neurons transfer across models within the same family, raising ASR from 17.9% to 67.7% with one-shot transfer attack. Furthermore, GateBreaker generalizes to five MoE vision language models (VLMs) with 60.9% ASR on unsafe image inputs.
Paper Structure (34 sections, 14 equations, 4 figures, 13 tables)

This paper contains 34 sections, 14 equations, 4 figures, 13 tables.

Figures (4)

  • Figure 1: Illustration of three MoE variants.
  • Figure 2: An overview of the GateBreaker framework.
  • Figure 3: Expert Utility Score Comparison.
  • Figure 4: Expert Ablation with Descending and Ascending Order of the Malicious Expert Utility Score.