Table of Contents
Fetching ...

JPU: Bridging Jailbreak Defense and Unlearning via On-Policy Path Rectification

Xi Wang, Songlei Jian, Shasha Li, Xiaopeng Li, Zhaoye Li, Bin Ji, Baosheng Wang, Jie Yu

TL;DR

This work addresses the brittleness of safety-aligned LLMs to jailbreaks by identifying that static unlearning fails against dynamic jailbreak paths that propagate through non-erased intermediate parameters. It introduces Jailbreak Path Unlearning (JPU), a three-stage framework that on-policy mines adversarial samples, identifies jailbreak paths via a scalable, Taylor-approximation-based flow metric, and rectifies these paths toward safety anchors while preserving utility. Key contributions include experimental evidence that dynamic jailbreak paths persist in erased models, the first path-centric unlearning paradigm, and substantial improvements in jailbreak resistance across diverse attacks with minimal utility loss. The approach offers practical implications for deploying safer LLMs in dynamic threat environments and provides a foundation for future path-aware defense strategies.

Abstract

Despite extensive safety alignment, Large Language Models (LLMs) often fail against jailbreak attacks. While machine unlearning has emerged as a promising defense by erasing specific harmful parameters, current methods remain vulnerable to diverse jailbreaks. We first conduct an empirical study and discover that this failure mechanism is caused by jailbreaks primarily activating non-erased parameters in the intermediate layers. Further, by probing the underlying mechanism through which these circumvented parameters reassemble into the prohibited output, we verify the persistent existence of dynamic $\textbf{jailbreak paths}$ and show that the inability to rectify them constitutes the fundamental gap in existing unlearning defenses. To bridge this gap, we propose $\textbf{J}$ailbreak $\textbf{P}$ath $\textbf{U}$nlearning (JPU), which is the first to rectify dynamic jailbreak paths towards safety anchors by dynamically mining on-policy adversarial samples to expose vulnerabilities and identify jailbreak paths. Extensive experiments demonstrate that JPU significantly enhances jailbreak resistance against dynamic attacks while preserving the model's utility.

JPU: Bridging Jailbreak Defense and Unlearning via On-Policy Path Rectification

TL;DR

This work addresses the brittleness of safety-aligned LLMs to jailbreaks by identifying that static unlearning fails against dynamic jailbreak paths that propagate through non-erased intermediate parameters. It introduces Jailbreak Path Unlearning (JPU), a three-stage framework that on-policy mines adversarial samples, identifies jailbreak paths via a scalable, Taylor-approximation-based flow metric, and rectifies these paths toward safety anchors while preserving utility. Key contributions include experimental evidence that dynamic jailbreak paths persist in erased models, the first path-centric unlearning paradigm, and substantial improvements in jailbreak resistance across diverse attacks with minimal utility loss. The approach offers practical implications for deploying safer LLMs in dynamic threat environments and provides a foundation for future path-aware defense strategies.

Abstract

Despite extensive safety alignment, Large Language Models (LLMs) often fail against jailbreak attacks. While machine unlearning has emerged as a promising defense by erasing specific harmful parameters, current methods remain vulnerable to diverse jailbreaks. We first conduct an empirical study and discover that this failure mechanism is caused by jailbreaks primarily activating non-erased parameters in the intermediate layers. Further, by probing the underlying mechanism through which these circumvented parameters reassemble into the prohibited output, we verify the persistent existence of dynamic and show that the inability to rectify them constitutes the fundamental gap in existing unlearning defenses. To bridge this gap, we propose ailbreak ath nlearning (JPU), which is the first to rectify dynamic jailbreak paths towards safety anchors by dynamically mining on-policy adversarial samples to expose vulnerabilities and identify jailbreak paths. Extensive experiments demonstrate that JPU significantly enhances jailbreak resistance against dynamic attacks while preserving the model's utility.
Paper Structure (26 sections, 5 equations, 6 figures, 3 tables)

This paper contains 26 sections, 5 equations, 6 figures, 3 tables.

Figures (6)

  • Figure 1: An illustration of how jailbreak path unlearning enhances jailbreak defense performance. Compared to existing unlearning defenses that exhibits the failure mechanism (a), our proposed method JPU (c) explicitly targets and rectifies the underlying issue, the existing jailbreak paths within erased-LLMs (b), achieving superior defense performance while preserve utility.
  • Figure 2: Overview of JPU. It consists of three steps. On-Policy Attack Buffer Mining: We mine adversarial samples from current model to form on-policy vulnerable attack batch. Jailbreak Path Identification: We trace critical jailbreak paths flowing from intermediate layers to harmful sink nodes in deep layers. Constraint Path Rectification: Under three constraints, we perform path rectification to enhance jailbreak defense.
  • Figure 3: Comparison of underlying adversarial circuitry with the baseline (identified by IGI within LLMs). Shaded regions denote the variability across different attack methods, while solid lines represent the averaged layer-wise IOU. The results reveal that our method, JPU, rectifies these jailbreak paths more effectively.
  • Figure 4: Ablation experiments illustrating the impact of different components of JPU. Each part of JPU plays a vital role in enhancing jailbreak resistance ability and maintaining general ability.
  • Figure 5: This figure illustrates how neuron sparsity of the jailbreak path influences JPU achieves balance between model utility and jailbreak resistance.
  • ...and 1 more figures