Robust LLM safeguarding via refusal feature adversarial training
This addresses the challenge of defending LLMs against adversarial attacks for users and developers, but it is incremental as it builds on existing adversarial training methods.
The paper tackled the problem of LLMs being vulnerable to adversarial attacks that elicit harmful responses by identifying a universal mechanism called refusal feature ablation (RFA) and proposing Refusal Feature Adversarial Training (ReFAT). The result showed that ReFAT significantly improved the robustness of three popular LLMs against a wide range of adversarial attacks with less computational overhead.
Large language models (LLMs) are vulnerable to adversarial attacks that can elicit harmful responses. Defending against such attacks remains challenging due to the opacity of jailbreaking mechanisms and the high computational cost of training LLMs robustly. We demonstrate that adversarial attacks share a universal mechanism for circumventing LLM safeguards that works by ablating a dimension in the residual stream embedding space called the refusal feature. We further show that the operation of refusal feature ablation (RFA) approximates the worst-case perturbation of offsetting model safety. Based on these findings, we propose Refusal Feature Adversarial Training (ReFAT), a novel algorithm that efficiently performs LLM adversarial training by simulating the effect of input-level attacks via RFA. Experiment results show that ReFAT significantly improves the robustness of three popular LLMs against a wide range of adversarial attacks, with considerably less computational overhead compared to existing adversarial training methods.