Response-Based Knowledge Distillation for Multilingual Jailbreak Prevention Unwittingly Compromises Safety

TL;DR

This paper investigates whether response-based knowledge distillation (KD) with LoRA can improve multilingual jailbreaking safety by transferring a strong teacher's refusal behavior to open-source models. Contrary to expectations, KD consistently worsens safety across several student architectures, with notable degradation in Gemma-2-2B-IT and variable language generalization. The authors identify three interlinked causes—nuanced boundary data, vulnerability amplification, and catastrophic forgetting—and show that preliminary data purification (removing boundary data) can partially reverse safety declines. A GSM8K reasoning trade-off accompanies safety degradation, suggesting that improving safety via KD may come at the cost of reasoning capabilities. The work emphasizes the need for data-centric safeguards and further research into distillation methods that preserve or enhance multilingual safety without compromising reasoning or generalization.

Abstract

Large language models (LLMs) are increasingly deployed worldwide, yet their safety alignment remains predominantly English-centric. This allows for vulnerabilities in non-English contexts, especially with low-resource languages. We introduce a novel application of knowledge distillation (KD) in the context of multilingual jailbreak prevention, examining its efficacy. We distill the refusal behaviors of a proprietary teacher model (OpenAI o1-mini) with Low-Rank Adaptation (LoRA) into three open-source student models: Meta-Llama-3-8B-Instruct, Gemma-2-2B-IT, and Qwen3-8B, using ~28,000 multilingual jailbreak prompts from XSafety via black-box response-based, parameter-efficient fine-tuning (PEFT). Evaluation on the MultiJail benchmark reveals a counterintuitive behavior: standard fine-tuning on the teacher's ``safe'' refusal data inadvertently increases Jailbreak Success Rate (JSR) for all student models, up to 16.6 percentage points. Our experiments reveal a divergent generalization to unseen languages during distillation, with varying outcomes depending on the base model. By removing a primary source of safety degradation, nuanced `boundary' refusals, we mitigate or even reverse safety declines in student models, although reductions in reasoning performance (GSM8K) persist. Overall, our exploratory study highlights the challenges and potential of KD as a technique for multilingual safety alignment, offering a foundation for future research in this direction.

Figures (8)

• Figure 1: The five-stage pipeline for response-based knowledge distillation. First, multilingual jailbreak prompts are sourced from the Xsafety dataset. Second, the teacher model, o1-mini, generates safe refusal responses to these prompts. Third, the prompts and their corresponding refusals are paired to create the distillation dataset. Fourth, the student models—Meta-Llama-3-8B-Instruct, Gemma-2-2B-IT, and Qwen3-8B—are fine-tuned on this dataset using LoRA PEFT. Finally, the safety of the fine-tuned models is evaluated on the MultiJail benchmark, with responses graded by GPT-4o.
• Figure 2: Teacher model o1-mini's evaluation scores on MultiJail, showing the number of safe, unsafe, and invalid responses per language.
• Figure 3: Baseline (left) and LoRA tuned (right) Meta-Llama-3-8B-Instruct evaluation scores on MultiJail, showing the number of safe, unsafe, and invalid responses per language.
• Figure 4: Baseline (left) and LoRA tuned (right) Gemma-2-2B-IT evaluation scores on MultiJail, showing the number of safe, unsafe, and invalid responses per language.
• Figure 5: Baseline (left) and LoRA tuned (right) Qwen3-8B evaluation scores on MultiJail, showing the number of safe, unsafe, and invalid responses per language.