Differentiated Directional Intervention A Framework for Evading LLM Safety Alignment
This work addresses the vulnerability of LLM safety mechanisms for AI security researchers, offering a more granular understanding but is incremental as it builds on prior jailbreaking methods.
The authors tackled the problem of oversimplifying LLM safety alignment as a single linear direction by deconstructing it into harm detection and refusal execution directions, resulting in a new framework that achieved up to 97.88% attack success rate in jailbreaking models like Llama-2.
Safety alignment instills in Large Language Models (LLMs) a critical capacity to refuse malicious requests. Prior works have modeled this refusal mechanism as a single linear direction in the activation space. We posit that this is an oversimplification that conflates two functionally distinct neural processes: the detection of harm and the execution of a refusal. In this work, we deconstruct this single representation into a Harm Detection Direction and a Refusal Execution Direction. Leveraging this fine-grained model, we introduce Differentiated Bi-Directional Intervention (DBDI), a new white-box framework that precisely neutralizes the safety alignment at critical layer. DBDI applies adaptive projection nullification to the refusal execution direction while suppressing the harm detection direction via direct steering. Extensive experiments demonstrate that DBDI outperforms prominent jailbreaking methods, achieving up to a 97.88\% attack success rate on models such as Llama-2. By providing a more granular and mechanistic framework, our work offers a new direction for the in-depth understanding of LLM safety alignment.