Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robust Safety Monitoring of Language Models via Activation Watermarking

Toluwani Aremu, Daniil Ognev, Samuele Poppi, Nils Lukas

Abstract

Large language models (LLMs) can be misused to reveal sensitive information, such as weapon-making instructions or writing malware. LLM providers rely on $\emph{monitoring}$ to detect and flag unsafe behavior during inference. An open security challenge is $\emph{adaptive}$ adversaries who craft attacks that simultaneously (i) evade detection while (ii) eliciting unsafe behavior. Adaptive attackers are a major concern as LLM providers cannot patch their security mechanisms, since they are unaware of how their models are being misused. We cast $\emph{robust}$ LLM monitoring as a security game, where adversaries who know about the monitor try to extract sensitive information, while a provider must accurately detect these adversarial queries at low false positive rates. Our work (i) shows that existing LLM monitors are vulnerable to adaptive attackers and (ii) designs improved defenses through $\emph{activation watermarking}$ by carefully introducing uncertainty for the attacker during inference. We find that $\emph{activation watermarking}$ outperforms guard baselines by up to $52\%$ under adaptive attackers who know the monitoring algorithm but not the secret key.

Robust Safety Monitoring of Language Models via Activation Watermarking

Abstract

Large language models (LLMs) can be misused to reveal sensitive information, such as weapon-making instructions or writing malware. LLM providers rely on to detect and flag unsafe behavior during inference. An open security challenge is adversaries who craft attacks that simultaneously (i) evade detection while (ii) eliciting unsafe behavior. Adaptive attackers are a major concern as LLM providers cannot patch their security mechanisms, since they are unaware of how their models are being misused. We cast LLM monitoring as a security game, where adversaries who know about the monitor try to extract sensitive information, while a provider must accurately detect these adversarial queries at low false positive rates. Our work (i) shows that existing LLM monitors are vulnerable to adaptive attackers and (ii) designs improved defenses through by carefully introducing uncertainty for the attacker during inference. We find that outperforms guard baselines by up to under adaptive attackers who know the monitoring algorithm but not the secret key.
Paper Structure (30 sections, 9 equations, 19 figures, 2 tables, 1 algorithm)

This paper contains 30 sections, 9 equations, 19 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Background & Related Work
  4. Threat Model
  5. Method
  6. Adaptive Attackers
  7. Activation Watermarking
  8. Training
  9. Detection
  10. Experiments
  11. Adaptive Attacks Against Existing Monitors
  12. Detection Performance
  13. Ablations
  14. Impact on Utility
  15. Generalization Across Model Sizes
  16. ...and 15 more sections

Figures (19)

  • Figure 1: An overview of current monitoring systems and our proposed activation watermarking for robust LLM Safety monitoring.
  • Figure 2: Linear vs. uniform token weighting across datasets and layers. Linear weighting consistently yields higher AUROC.
  • Figure 3: Evaluation of activation watermarking (ActWM) across model sizes (Qwen2.5 7B and 14B). We report utility (IFEval) and AUROC under adaptive jailbreak attacks.
  • Figure 4: Transfer attacks developed on Mistral-7B-Instruct and evaluated against our Qwen2.5-7B watermarked model. We report AUROC and ASR (attack success rate at 1% FPR). Lower ASR and higher AUROC indicate stronger robustness.
  • Figure 5: Conditional evasion rates for prompts crafted against key $k_j$ (columns) and evaluated on detector $D_{k_i}$ (rows). Off-diagonal entries show cross-key transfer. Each key is evaluated on 200 harmful and 200 benign prompts.
  • ...and 14 more figures