Table of Contents
Fetching ...

Provable Defense Framework for LLM Jailbreaks via Noise-Augumented Alignment

Zehua Cheng, Jianwei Yang, Wei Dai, Jiahao Sun

TL;DR

This work tackles the vulnerability of large language models to adaptive jailbreaks by establishing a certifiable robustness framework for discrete token inputs. It introduces Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, which preserves structural prompts while randomly abating semantic payloads, and enhances practicality with Noise-Augmented Alignment Tuning (NAAT) to function as a semantic denoiser. The robustness radius is derived using Hypergeometric sampling, yielding rigorous guarantees against $l_0$ perturbations, and a Monte Carlo certification pipeline with abstention ensures safe operation. Empirically, on Llama-3-8B-Instruct, CSS dramatically reduces the Attack Success Rate from high levels (e.g., 84.2%) to near-zero (1.2%) while maintaining benign utility (around 94%), outperforming character-level baselines and providing a deterministic safety certificate for adversaries within the provable radius.

Abstract

Large Language Models (LLMs) remain vulnerable to adaptive jailbreaks that easily bypass empirical defenses like GCG. We propose a framework for certifiable robustness that shifts safety guarantees from single-pass inference to the statistical stability of an ensemble. We introduce Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, a technique that partitions inputs into immutable structural prompts and mutable payloads to derive rigorous lo norm guarantees using the Hypergeometric distribution. To resolve performance degradation on sparse contexts, we employ Noise-Augmented Alignment Tuning (NAAT), which transforms the base model into a semantic denoiser. Extensive experiments on Llama-3 show that our method reduces the Attack Success Rate of gradient-based attacks from 84.2% to 1.2% while maintaining 94.1% benign utility, significantly outperforming character-level baselines which degrade utility to 74.3%. This framework provides a deterministic certificate of safety, ensuring that a model remains robust against all adversarial variants within a provable radius.

Provable Defense Framework for LLM Jailbreaks via Noise-Augumented Alignment

TL;DR

This work tackles the vulnerability of large language models to adaptive jailbreaks by establishing a certifiable robustness framework for discrete token inputs. It introduces Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, which preserves structural prompts while randomly abating semantic payloads, and enhances practicality with Noise-Augmented Alignment Tuning (NAAT) to function as a semantic denoiser. The robustness radius is derived using Hypergeometric sampling, yielding rigorous guarantees against perturbations, and a Monte Carlo certification pipeline with abstention ensures safe operation. Empirically, on Llama-3-8B-Instruct, CSS dramatically reduces the Attack Success Rate from high levels (e.g., 84.2%) to near-zero (1.2%) while maintaining benign utility (around 94%), outperforming character-level baselines and providing a deterministic safety certificate for adversaries within the provable radius.

Abstract

Large Language Models (LLMs) remain vulnerable to adaptive jailbreaks that easily bypass empirical defenses like GCG. We propose a framework for certifiable robustness that shifts safety guarantees from single-pass inference to the statistical stability of an ensemble. We introduce Certified Semantic Smoothing (CSS) via Stratified Randomized Ablation, a technique that partitions inputs into immutable structural prompts and mutable payloads to derive rigorous lo norm guarantees using the Hypergeometric distribution. To resolve performance degradation on sparse contexts, we employ Noise-Augmented Alignment Tuning (NAAT), which transforms the base model into a semantic denoiser. Extensive experiments on Llama-3 show that our method reduces the Attack Success Rate of gradient-based attacks from 84.2% to 1.2% while maintaining 94.1% benign utility, significantly outperforming character-level baselines which degrade utility to 74.3%. This framework provides a deterministic certificate of safety, ensuring that a model remains robust against all adversarial variants within a provable radius.
Paper Structure (22 sections, 4 theorems, 15 equations, 1 figure, 3 tables, 1 algorithm)

This paper contains 22 sections, 4 theorems, 15 equations, 1 figure, 3 tables, 1 algorithm.

Key Result

Lemma 1

Let $x, x' \in \mathcal{X}$ be two inputs such that $\|x - x'\|_{0, sem} = r$. Let $\mathcal{M}_k$ be the space of all valid ablation masks preserving $I_{struct}$ and retaining $k$ tokens from $I_{sem}$. There exists a coupling between the random variables $\tilde{x} \sim \phi(x; k)$ and $\tilde{x}

Figures (1)

  • Figure 1: Part 1: Noise-Augmented Alignment Tuning (NAAT) illustrates the fine-tuning protocol designed to resolve performance degradation caused by inference on sparse contexts. By training the base model on inputs subjected to stratified randomized ablation, NAAT transforms the LLM into a semantic denoiser robust to information sparsity, capable of reconstructing intent from partial evidence. Part 2: Certified Semantic Smoothing (CSS) depicts the inference process. Inputs are partitioned into immutable structural support sets ($I_{struct}$) and mutable semantic payloads ($I_{sem}$). An ensemble of ablated inputs created via randomized attention masking is processed by the NAAT-tuned base LLM. The results are aggregated via majority vote to form a smoothed classifier $G(x)$ that provides a deterministic certificate of safety (Certified Radius $R$) against $l_0$ norm perturbations, shifting the safety guarantee to the statistical stability of the ensemble.

Theorems & Definitions (4)

  • Lemma 1: The Common Substructure Coupling
  • Theorem 1: Finite-Sample Certified Radius
  • Proposition 1: The Deterministic Collapse
  • Proposition 2: The Sparse Regime