On Prompt-Driven Safeguarding for Large Language Models
This work addresses the challenge of automatically optimizing safety prompts for LLMs to enhance safety, which is crucial for developers and users concerned with AI ethics and security, though it is incremental as it builds on existing prompt-based safeguarding methods.
The paper tackled the problem of understanding and optimizing safety prompts for large language models (LLMs) to improve safeguarding against harmful queries, finding that safety prompts move query representations in a 'higher-refusal' direction and proposing DRO (Directed Representation Optimization) to optimize these prompts, which demonstrated improved safeguarding performance on benchmarks without compromising general model performance.
Prepending model inputs with safety prompts is a common practice for safeguarding large language models (LLMs) against queries with harmful intents. However, the underlying working mechanisms of safety prompts have not been unraveled yet, restricting the possibility of automatically optimizing them to improve LLM safety. In this work, we investigate how LLMs' behavior (i.e., complying with or refusing user queries) is affected by safety prompts from the perspective of model representation. We find that in the representation space, the input queries are typically moved by safety prompts in a "higher-refusal" direction, in which models become more prone to refusing to provide assistance, even when the queries are harmless. On the other hand, LLMs are naturally capable of distinguishing harmful and harmless queries without safety prompts. Inspired by these findings, we propose a method for safety prompt optimization, namely DRO (Directed Representation Optimization). Treating a safety prompt as continuous, trainable embeddings, DRO learns to move the queries' representations along or opposite the refusal direction, depending on their harmfulness. Experiments with eight LLMs on out-of-domain and jailbreak benchmarks demonstrate that DRO remarkably improves the safeguarding performance of human-crafted safety prompts, without compromising the models' general performance.