Towards Understanding the Robustness of Sparse Autoencoders
This work provides a novel defense mechanism against jailbreak attacks in LLMs by leveraging SAEs, offering a practical approach to improve robustness without modifying model weights.
The paper investigates the robustness implications of integrating Sparse Autoencoders (SAEs) into transformer residual streams at inference time, finding that SAE-augmented models achieve up to a 5x reduction in jailbreak success rate across multiple model families and attacks.
Large Language Models (LLMs) remain vulnerable to optimization-based jailbreak attacks that exploit internal gradient structure. While Sparse Autoencoders (SAEs) are widely used for interpretability, their robustness implications remain underexplored. We present a study of integrating pretrained SAEs into transformer residual streams at inference time, without modifying model weights or blocking gradients. Across four model families (Gemma, LLaMA, Mistral, Qwen) and two strong white-box attacks (GCG, BEAST) plus three black-box benchmarks, SAE-augmented models achieve up to a 5x reduction in jailbreak success rate relative to the undefended baseline and reduce cross-model attack transferability. Parametric ablations reveal (i) a monotonic dose-response relationship between L0 sparsity and attack success rate, and (ii) a layer-dependent defense-utility tradeoff, where intermediate layers balance robustness and clean performance. These findings are consistent with a representational bottleneck hypothesis: sparse projection reshapes the optimization geometry exploited by jailbreak attacks.