TRYLOCK: Defense-in-Depth Against LLM Jailbreaks via Layered Preference and Representation Engineering
Scott Thornton
TL;DR
This paper presents TRYLOCK, a defense-in-depth architecture for LLM safety that combines four mechanisms across the inference stack: DPO weight-level safety, RepE activation-space steering, an adaptive sidecar classifier, and input canonicalization. On Mistral-7B-Instruct with 249 attack prompts, TRYLOCK achieves an 88.0% relative reduction in Attack Success Rate (ASR), with each layer contributing unique, non-redundant coverage and a notable non-monotonic steering phenomenon around $\alpha=1.0$. The adaptive sidecar reduces over-refusal from 60% to 48% while preserving attack defense, illustrating improved usability without sacrificing security. Generalization is demonstrated on JailbreakBench with substantial ASR reductions, and the authors release all components and evaluation methodology to enable full reproducibility. Collectively, TRYLOCK demonstrates that a multi-layer, heterogeneous defense can provide robust, practical protection against evolving jailbreak strategies in LLMs.
Abstract
Large language models remain vulnerable to jailbreak attacks, and single-layer defenses often trade security for usability. We present TRYLOCK, the first defense-in-depth architecture that combines four heterogeneous mechanisms across the inference stack: weight-level safety alignment via DPO, activation-level control via Representation Engineering (RepE) steering, adaptive steering strength selected by a lightweight sidecar classifier, and input canonicalization to neutralize encoding-based bypasses. On Mistral-7B-Instruct evaluated against a 249-prompt attack set spanning five attack families, TRYLOCK achieves 88.0% relative ASR reduction (46.5% to 5.6%), with each layer contributing unique coverage: RepE blocks 36% of attacks that bypass DPO alone, while canonicalization catches 14% of encoding attacks that evade both. We discover a non-monotonic steering phenomenon -- intermediate strength (alpha=1.0) degrades safety below baseline -- and provide mechanistic hypotheses explaining RepE-DPO interference. The adaptive sidecar reduces over-refusal from 60% to 48% while maintaining identical attack defense, demonstrating that security and usability need not be mutually exclusive. We release all components -- trained adapters, steering vectors, sidecar classifier, preference pairs, and complete evaluation methodology -- enabling full reproducibility.
