Table of Contents
Fetching ...

ALERT: Zero-shot LLM Jailbreak Detection via Internal Discrepancy Amplification

Xiao Lin, Philip Li, Zhichen Zeng, Tingwei Li, Tianxin Wei, Xuying Ning, Gaotang Li, Yuzhong Chen, Hanghang Tong

TL;DR

This work tackles the persistent risk of jailbreak attacks on large language models by proposing zero-shot jailbreak detection via ALERT, a plug-and-play detector that magnifies internal signals at layer, module, and token levels. ALERT leverages three amplification mechanisms and two Variational Information Bottleneck classifiers to achieve robust zero-shot discrimination between benign prompts and unseen jailbreaks, without modifying inputs or requiring jailbreak templates in training. Across three safety benchmarks and multiple LLM backbones, ALERT consistently attains top-tier accuracy and F1 scores, outperforming strong baselines by at least 10% and, in some cases, up to 40%. By prioritizing generalizability, efficiency, and innocuousness, the approach offers an effective, single-pass, early-detection defense suitable for real-world deployment, with potential extensions to domain adaptation and jailbreak mitigation.

Abstract

Despite rich safety alignment strategies, large language models (LLMs) remain highly susceptible to jailbreak attacks, which compromise safety guardrails and pose serious security risks. Existing detection methods mainly detect jailbreak status relying on jailbreak templates present in the training data. However, few studies address the more realistic and challenging zero-shot jailbreak detection setting, where no jailbreak templates are available during training. This setting better reflects real-world scenarios where new attacks continually emerge and evolve. To address this challenge, we propose a layer-wise, module-wise, and token-wise amplification framework that progressively magnifies internal feature discrepancies between benign and jailbreak prompts. We uncover safety-relevant layers, identify specific modules that inherently encode zero-shot discriminative signals, and localize informative safety tokens. Building upon these insights, we introduce ALERT (Amplification-based Jailbreak Detector), an efficient and effective zero-shot jailbreak detector that introduces two independent yet complementary classifiers on amplified representations. Extensive experiments on three safety benchmarks demonstrate that ALERT achieves consistently strong zero-shot detection performance. Specifically, (i) across all datasets and attack strategies, ALERT reliably ranks among the top two methods, and (ii) it outperforms the second-best baseline by at least 10% in average Accuracy and F1-score, and sometimes by up to 40%.

ALERT: Zero-shot LLM Jailbreak Detection via Internal Discrepancy Amplification

TL;DR

This work tackles the persistent risk of jailbreak attacks on large language models by proposing zero-shot jailbreak detection via ALERT, a plug-and-play detector that magnifies internal signals at layer, module, and token levels. ALERT leverages three amplification mechanisms and two Variational Information Bottleneck classifiers to achieve robust zero-shot discrimination between benign prompts and unseen jailbreaks, without modifying inputs or requiring jailbreak templates in training. Across three safety benchmarks and multiple LLM backbones, ALERT consistently attains top-tier accuracy and F1 scores, outperforming strong baselines by at least 10% and, in some cases, up to 40%. By prioritizing generalizability, efficiency, and innocuousness, the approach offers an effective, single-pass, early-detection defense suitable for real-world deployment, with potential extensions to domain adaptation and jailbreak mitigation.

Abstract

Despite rich safety alignment strategies, large language models (LLMs) remain highly susceptible to jailbreak attacks, which compromise safety guardrails and pose serious security risks. Existing detection methods mainly detect jailbreak status relying on jailbreak templates present in the training data. However, few studies address the more realistic and challenging zero-shot jailbreak detection setting, where no jailbreak templates are available during training. This setting better reflects real-world scenarios where new attacks continually emerge and evolve. To address this challenge, we propose a layer-wise, module-wise, and token-wise amplification framework that progressively magnifies internal feature discrepancies between benign and jailbreak prompts. We uncover safety-relevant layers, identify specific modules that inherently encode zero-shot discriminative signals, and localize informative safety tokens. Building upon these insights, we introduce ALERT (Amplification-based Jailbreak Detector), an efficient and effective zero-shot jailbreak detector that introduces two independent yet complementary classifiers on amplified representations. Extensive experiments on three safety benchmarks demonstrate that ALERT achieves consistently strong zero-shot detection performance. Specifically, (i) across all datasets and attack strategies, ALERT reliably ranks among the top two methods, and (ii) it outperforms the second-best baseline by at least 10% in average Accuracy and F1-score, and sometimes by up to 40%.
Paper Structure (27 sections, 9 equations, 7 figures, 5 tables)

This paper contains 27 sections, 9 equations, 7 figures, 5 tables.

Figures (7)

  • Figure 1: Illustration of three jailbreak detection tasks. Jailbreak attack templates (AutoDAN and Adaptive Attack) are color-coded. Full-shot detection considers identical attacks in training and testing, few-shot task detects different attacks, and zero-shot detection excludes all attack templates from training.
  • Figure 2: The main pipeline of Alert. Through three amplification stages, Alert identifies safety-relevant layers, selects discriminative modules to extract zero-shot–suitable features, and applies token-level weighted aggregation to emphasize safety-informative tokens, with amplified representations used for joint prediction.
  • Figure 3: Layer-wise log-scaled symmetric KL divergence between hidden states of different prompt pairs. Prompt pairs are specified in the subfigure titles (e.g., Benign vs Harmful), and layers with large divergence are highlighted in a red background.
  • Figure 4: Relationship between relative difference and channel frequency across feature categories. The red dashed line ($\operatorname{RD}=1$) serves as a reference, since prompts of type $p$ is distinguishable from harmful prompts on the $i$-th channel if $\operatorname{RD}(i, p) > 1$.
  • Figure 5: Distance distributions between two jailbreak prompt components and their corresponding prototype vectors under different feature categories (gating and context features).
  • ...and 2 more figures