Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement

Amirhossein Farzam, Majid Behabahani, Mani Malek, Yuriy Nevmyvaka, Guillermo Sapiro

TL;DR

This work introduces a self-supervised framework for disentangling semantic factor pairs in LLM activations at inference and proposes FrameShield, an anomaly detector operating on the framing representations that improves model-agnostic detection across multiple LLM families with minimal computational overhead.

Abstract

Large language models (LLMs) remain vulnerable to jailbreak prompts that are fluent and semantically coherent, and therefore difficult to detect with standard heuristics. A particularly challenging failure mode occurs when an attacker tries to hide the malicious goal of their request by manipulating its framing to induce compliance. Because these attacks maintain malicious intent through a flexible presentation, defenses that rely on structural artifacts or goal-specific signatures can fail. Motivated by this, we introduce a self-supervised framework for disentangling semantic factor pairs in LLM activations at inference. We instantiate the framework for goal and framing and construct GoalFrameBench, a corpus of prompts with controlled goal and framing variations, which we use to train Representation Disentanglement on Activations (ReDAct) module to extract disentangled representations in a frozen LLM. We then propose FrameShield, an anomaly detector operating on the framing representations, which improves model-agnostic detection across multiple LLM families with minimal computational overhead. Theoretical guarantees for ReDAct and extensive empirical validations show that its disentanglement effectively powers FrameShield. Finally, we use disentanglement as an interpretability probe, revealing distinct profiles for goal and framing signals and positioning semantic disentanglement as a building block for both LLM safety and mechanistic interpretability.

Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement

TL;DR

This work introduces a self-supervised framework for disentangling semantic factor pairs in LLM activations at inference and proposes FrameShield, an anomaly detector operating on the framing representations that improves model-agnostic detection across multiple LLM families with minimal computational overhead.

Abstract

Large language models (LLMs) remain vulnerable to jailbreak prompts that are fluent and semantically coherent, and therefore difficult to detect with standard heuristics. A particularly challenging failure mode occurs when an attacker tries to hide the malicious goal of their request by manipulating its framing to induce compliance. Because these attacks maintain malicious intent through a flexible presentation, defenses that rely on structural artifacts or goal-specific signatures can fail. Motivated by this, we introduce a self-supervised framework for disentangling semantic factor pairs in LLM activations at inference. We instantiate the framework for goal and framing and construct GoalFrameBench, a corpus of prompts with controlled goal and framing variations, which we use to train Representation Disentanglement on Activations (ReDAct) module to extract disentangled representations in a frozen LLM. We then propose FrameShield, an anomaly detector operating on the framing representations, which improves model-agnostic detection across multiple LLM families with minimal computational overhead. Theoretical guarantees for ReDAct and extensive empirical validations show that its disentanglement effectively powers FrameShield. Finally, we use disentanglement as an interpretability probe, revealing distinct profiles for goal and framing signals and positioning semantic disentanglement as a building block for both LLM safety and mechanistic interpretability.
Paper Structure (58 sections, 4 theorems, 25 equations, 8 figures, 7 tables)

This paper contains 58 sections, 4 theorems, 25 equations, 8 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. From Framing Theory to Goal–Framing Decomposition for LLMs
  4. Setup.
  5. Decision Model.
  6. Implications for Jailbreaks.
  7. Self-supervised Disentanglement of LLM Representation
  8. Notation and Problem Formulation.
  9. Data Generation and Pairs Construction
  10. Self-supervised Disentanglement
  11. Contrastive Learning for Sufficiency.
  12. Controlled Leakage.
  13. Orthogonality for Controlled Leakage.
  14. Reconstruction for Completeness.
  15. Goal and Framing Disentanglement for Safety: From Data to Jailbreak Detection
  16. ...and 43 more sections

Key Result

Proposition 4.1

Let $\mathcal{Z} = \{(X_i, X_j, \iota_{i,j})\}_{(i,j) \in \mathcal{P}_A \cup \mathcal{P}_B}$ be the set of triples from the sets of positive pairs. Under the assumptions that (i) $\mathcal{A}$ and $\mathcal{B}$ are finite, and (ii) every $a\in\mathcal{A}$ appears in at least one pair in $\mathcal{P}

Figures (8)

  • Figure 1: A visual summary of our pipeline. ReDAct learns disentangled goal and framing representations from frozen LLM activations using the contrastive pairs in the GoalFrameBench corpus we construct. FrameShield can then detect jailbreak prompts via anomaly detection on the disentangled framing representation.
  • Figure 2: Visualization of how varying the framing of a prompt leads to a jailbreak.
  • Figure 3: Examples of contrastive prompts for goal and framing pairs in GoalFrameBench. The prompts are abbreviated here due to space limitations; the full examples are included in Appendix \ref{['appendix_sec:prompts']}.
  • Figure 4: ReDAct Architecture.
  • Figure 5: Strength of association between goal and framing and their corresponding representations learned by ReDAct across the second half of Llama2-7B layers (other LLMs in Figure \ref{['fig:eta2_layers_appendix']}). Blue and red bars show $\eta^2(G,v_g)$ and $\eta^2(F,v_f)$, respectively.
  • ...and 3 more figures

Theorems & Definitions (10)

  • Proposition 4.1
  • Proposition 4.2
  • Definition 4.3
  • Remark 4.4
  • proof
  • Lemma 3.1
  • proof
  • proof
  • Proposition 3.2
  • proof