AdaSteer: Your Aligned LLM is Inherently an Adaptive Jailbreak Defender
This addresses the vulnerability of LLMs to jailbreak attacks, offering a real-time, flexible safety enforcement method, though it is incremental as it builds on existing activation steering techniques.
The paper tackled the problem of jailbreak attacks on safety-aligned large language models by proposing AdaSteer, an adaptive activation steering method that dynamically adjusts model behavior based on input characteristics, resulting in outperforming baseline methods across multiple attacks with minimal impact on utility.
Despite extensive efforts in safety alignment, large language models (LLMs) remain vulnerable to jailbreak attacks. Activation steering offers a training-free defense method but relies on fixed steering coefficients, resulting in suboptimal protection and increased false rejections of benign inputs. To address this, we propose AdaSteer, an adaptive activation steering method that dynamically adjusts model behavior based on input characteristics. We identify two key properties: Rejection Law (R-Law), which shows that stronger steering is needed for jailbreak inputs opposing the rejection direction, and Harmfulness Law (H-Law), which differentiates adversarial and benign inputs. AdaSteer steers input representations along both the Rejection Direction (RD) and Harmfulness Direction (HD), with adaptive coefficients learned via logistic regression, ensuring robust jailbreak defense while preserving benign input handling. Experiments on LLaMA-3.1, Gemma-2, and Qwen2.5 show that AdaSteer outperforms baseline methods across multiple jailbreak attacks with minimal impact on utility. Our results highlight the potential of interpretable model internals for real-time, flexible safety enforcement in LLMs.