Provable Defense Framework for LLM Jailbreaks via Noise-Augumented Alignment
Zehua Cheng, Jianwei Yang, Wei Dai, Jiahao Sun
TL;DR
This work tackles the vulnerability of large language models to adaptive jailbreaks by establishing a certifiable robustness framework for discrete token inputs. It introduces Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, which preserves structural prompts while randomly abating semantic payloads, and enhances practicality with Noise-Augmented Alignment Tuning (NAAT) to function as a semantic denoiser. The robustness radius is derived using Hypergeometric sampling, yielding rigorous guarantees against $l_0$ perturbations, and a Monte Carlo certification pipeline with abstention ensures safe operation. Empirically, on Llama-3-8B-Instruct, CSS dramatically reduces the Attack Success Rate from high levels (e.g., 84.2%) to near-zero (1.2%) while maintaining benign utility (around 94%), outperforming character-level baselines and providing a deterministic safety certificate for adversaries within the provable radius.
Abstract
Large Language Models (LLMs) remain vulnerable to adaptive jailbreaks that easily bypass empirical defenses like GCG. We propose a framework for certifiable robustness that shifts safety guarantees from single-pass inference to the statistical stability of an ensemble. We introduce Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, a technique that partitions inputs into immutable structural prompts and mutable payloads to derive rigorous lo norm guarantees using the Hypergeometric distribution. To resolve performance degradation on sparse contexts, we employ Noise-Augmented Alignment Tuning (NAAT), which transforms the base model into a semantic denoiser. Extensive experiments on Llama-3 show that our method reduces the Attack Success Rate of gradient-based attacks from 84.2% to 1.2% while maintaining 94.1% benign utility, significantly outperforming character-level baselines which degrade utility to 74.3%. This framework provides a deterministic certificate of safety, ensuring that a model remains robust against all adversarial variants within a provable radius.
