From Shallow to Deep: Pinning Semantic Intent via Causal GRPO
This work addresses a significant problem for developers and users of large language models, providing a more robust defense against adversarial attacks.
The researchers tackled the problem of large language models' vulnerability to adversarial prefix attacks, and their proposed framework, TSC-GRPO, significantly outperformed baselines in defending against jailbreak attacks. The model achieved robust late-stage refusals, preserving general utility.
Large Language Models remain vulnerable to adversarial prefix attacks (e.g., ``Sure, here is'') despite robust standard safety. We diagnose this vulnerability as Shallow Safety Alignment, stemming from a pathology we term semantic representation decay: as the model generates compliant prefixes, its internal malicious intent signal fades. To address this, we propose Two-Stage Causal-GRPO (TSC-GRPO), a framework designed to achieve intent pinning. First, grounded in causal identifiability theory, we train a causal intent probe to disentangle invariant intent from stylistic perturbations. Second, we internalize this causal awareness into the policy via Group Relative Policy Optimization. By employing a cumulative causal penalty within ``fork-in-the-road'' training scenarios, we force the model to learn that accumulating harmful tokens monotonically decreases reward, enabling robust late-stage refusals. Experiments show that TSC-GRPO significantly outperforms baselines in defending against jailbreak attacks while preserving general utility.