A2D: Any-Order, Any-Step Safety Alignment for Diffusion Language Models
This addresses safety vulnerabilities in flexible text generation models for users deploying dLLMs in real-world applications, representing a novel method for a known bottleneck.
The paper tackled the problem of safety alignment in diffusion large language models (dLLMs) against any-order and any-step attacks, achieving near-zero success rates for harmful outputs, such as reducing DIJA attack success from over 80% to 1.3% or 0.0% on specific models, and enabling up to 19.3x faster safe termination.
Diffusion large language models (dLLMs) enable any-order generation, but this flexibility enlarges the attack surface: harmful spans may appear at arbitrary positions, and template-based prefilling attacks such as DIJA bypass response-level refusals. We introduce A2D (Any-Order, Any-Step Defense), a token-level alignment method that aligns dLLMs to emit an [EOS] refusal signal whenever harmful content arises. By aligning safety directly at the token-level under randomized masking, A2D achieves robustness to both any-decoding-order and any-step prefilling attacks under various conditions. It also enables real-time monitoring: dLLMs may begin a response but automatically terminate if unsafe continuation emerges. On safety benchmarks, A2D consistently prevents the generation of harmful outputs, slashing DIJA success rates from over 80% to near-zero (1.3% on LLaDA-8B-Instruct, 0.0% on Dream-v0-Instruct-7B), and thresholded [EOS] probabilities allow early rejection, yielding up to 19.3x faster safe termination.