Understanding Jailbreak Success: A Study of Latent Space Dynamics in Large Language Models

Thank you very much for the thoughtful and comprehensive review! In the following we would like to address the two questions you had.

On comparison with automatic jailbreak attacks:
We agree that it is interesting to study automatic jailbreak attacks. This is why we included the automatic jailbreak attack GCG in our analysis, which finds a prompt-specific suffix that leads the model to jailbreak. TAP and PAIR also optimize the prompt to get the answer to a specific harmful question. The difference to GCG is that the prompts based on TAP and PAIR are human-understandable. Given our inclusion of the GCG jailbreak attack in our analyses, we expect our results to transfer to other automatic jailbreak attacks like PAIR and TAP.

On studying safety-tuned models:
The models we include in our analyses do have effective safety alignment of different forms, while still being jailbreakable. We agree that it will be interesting to study strongly aligned models, once there is a meaningful number of efficient jailbreaks for these newer models. Please refer to the global comment for a detailed explanation of our model choice.

Thank you for the comprehensive feedback! We hope our arguments and additional analyses will fully address the weaknesses and questions.

On the workflow figure: New workflow figure is included on page 4.

On representation degeneration:
Thanks for pointing out that a positive cosine similarity between jailbreak steering vectors may result from representations clustering in a cone. We carefully re-evaluated Section 5.2 by looking at cosine similarity values of our steering vectors with i) an “italian” steering vector and ii) a vector steering the model to more “happy” behavior (data from [1]). The italian vector is more closely related to our jailbreak vector setup, for which we contrasted harmful questions in English and Italian. For the happiness vector we contrast the last token activations of happy and sad statements, averaged over 203 pairs. Both the italian and happiness vectors show noticeably reduced similarity to our jailbreak vectors, which stresses the meaningfulness of their similarity. We added the results and their discussion to our paper (pages 6 and 20).

On evaluating steering performance on unrelated tasks:
It is true that subtracting the jailbreak vectors leads to a decrease in ASR scores with some reduction in answer quality in the form of repetitions (but not for all answers). Similarly, subtracting our normalized vectors during inference on harmless questions reduces performance (slightly) on the MMLU benchmark (Vicuna 7B: -1.4%points, Vicuna 13B: 0.3%p., Qwen1.5 14B Chat: -16.2 %p., MPT 7B Chat: -2.8%p.). Searching for the optimal steering parameters like a dynamic intervention strength and layer can help to reduce quality issues (see e.g. [2]). We did not conduct such a thorough analysis since the goal of our paper is to study shared underlying jailbreak mechanisms and not to find the optimal defense strategy (see global comment). We included the benchmark results in our paper, clarified the paper’s main focus, and highlighted areas where further research on defense methods is needed (page 8). For future research we would be interested to see work that extracts a shared underlying component of our jailbreak vectors, which could then be used in a steering defense framework.

On model safety training:
We chose differently aligned models for our analysis, including models aligned with fine-tuning, DPO and PPO. Our analyses indicate the transferability of results across differently aligned models.

On testing different temperature and layer values:
While the focus of our paper is on studying jailbreak mechanisms, we agree that it is valuable to think how our jailbreak vectors can be employed for defense (see global comment). Repeating our analysis for Qwen1.5 14B Chat with a temperature of 0.7 leads to very similar results compared to when no sampling is used (0.7 is the default value in commonly deployed LLM chatbots, see e.g. [3]). Looking at the layers 4, 15, 25 and 40, we observe that steering at layer 4 is by orders of magnitudes less successful than steering at the middle layer, while steering at layer 40 mainly leads to non-understandable outputs. In contrast, using steering vectors from different middle layers (15 and 25) results in comparable steering outcomes as with the middle layer, albeit with slightly less strong mitigation successes. These additional results corroborate our analyses and are in accordance with the steering literature, finding the middle layers to be most successful for steering [4,5,6] (as mentioned in our paper). We added these additional explorations to our paper (pages 8, 22). However, we would like to reiterate that finding the optimal defense strategy based on these steering vectors is not within the scope and interest of our paper and requires more research.

On checking quality for harmless dataset:
Yes, the responses of ChatGPT to generate the harmless dataset were checked by the authors to ensure quality.

Differences in model behavior:
Since we analyze a different number of jailbreak types for the models, clustering differences in our PCA analysis could be influenced by both data and architecture. Some clusters could also be more separable along a third PCA dimension. We added this consideration to the paper (page 5). However, we want to point out that the PCA clustering is only a preliminary step in our analysis and that the main part of the paper reveals consistent behavior across models.

[1] Zou, A., ... & Hendrycks, D. (2023). Representation engineering: A top-down approach to AI transparency.
[2] Marshall, T., ... & Belrose, N. (2024). Refusal in LLMs is an Affine Function.
[3] https://lmarena.ai
[4] Arditi, A., ... & Nanda, N.. Refusal in language models is mediated by a single direction.
[5] Panickssery, N., ... & Turner, A.. Steering Llama 2 via contrastive activation addition.
[6] Turner, A., ... & MacDiarmid, M. (2023). Activation addition: Steering language models without optimization.

Thank you for your review and for acknowledging that we provide a fresh view on understanding jailbreak success mechanisms. We are addressing the weaknesses and questions next.

On including Vicuna and model selection:
We agree that it is always better to include more models in experiments. However, our choice of models covers a range of models with different alignment strategies and sizes, which increases the generalizability of our results. We include Vicuna in our analysis as it has been shown to be susceptible to jailbreaks, while refraining to answer harmful requests that do not use jailbreak techniques. This makes Vicuna an interesting model to study, and it can furthermore function as a comparison to our other models that are aligned via RLHF and DPO (for further comments on model selection see global comment).

On citing literature:
The literature we cite is highly related to our research as we mention papers that we directly build on and that hypothesize how jailbreaks work. Could you please indicate which papers you find missing?

On selection of middle layer:
The main goal of our jailbreak steering analysis is to understand whether different jailbreaks work via a similar mechanism. Our results point to such a shared underlying mechanism for different model classes using the middle layer of each model. We focus on the middle layer because research shows that these are the layers where models process high level concepts and where steering is effective [1, 2, 3]. Our finding that we can successfully prevent jailbreaks via steering is a by-product of our work and gives first indications for a successful jailbreak prevention strategy via jailbreak steering vectors. We agree that the development of an optimal defense strategy needs more research, which includes finding the most effective intervention layer and strength of intervention. However, finding these optimal parameters is a separate research endeavor, which is distinct from investigating the existence of shared underlying jailbreak mechanisms. To answer the posted question, we repeat our analyses with layers 4, 15, 25, and 40 for the Qwen1.5 14B Chat model. The results show that steering is comparably effective (albeit less strong) for the other middle layers 15 and 25, significantly less effective for layer 4, and not at all effective for layer 40 as the output is greatly distorted (repetition of single tokens for many examples). Hence, we are able to replicate that steering is most effective at middle layers. We added these supporting results to the paper (pages 8, 22) and made it more explicit in the text, that we are not directly proposing a jailbreak defense method (see global comment).

[1] Andy Arditi, Oscar Obeso, Aaquib Syed, Daniel Paleka, Nina Panickssery, Wes Gurnee, and Neel Nanda. Refusal in language models is mediated by a single direction. arXiv preprint arXiv:2406.11717, 2024.

[2] Nina Panickssery, Nick Gabrieli, Julian Schulz, Meg Tong, Evan Hubinger, and Alexander Matt Turner. Steering Llama 2 via contrastive activation addition. arXiv preprint arXiv:2312.06681, 2023.

[3] Turner, A. M., Thiergart, L., Leech, G., Udell, D., Vazquez, J. J., Mini, U., & MacDiarmid, M. (2023). Activation addition: Steering language models without optimization. arXiv e-prints, arXiv-2308

Thank you for the thoughtful and comprehensive review and for acknowledging that our paper provides a new perspective and interesting findings to better understand jailbreak success mechanisms. We hope that our comments and edits to the paper help to fully address the weaknesses mentioned.

On the safety alignment of our model selection:
It is correct that the Vicuna models are not aligned via an additional RLHF step. However, the models refuse to answer the 352 harmful questions of our dataset to 98% (Vicuna 13B v1.5) and 90% (Vicuna 7B v1.5), showing that there is effective alignment in place. In order to further explore whether differently aligned models show similar behavior, we additionally analyze Qwen1.5 14B Chat, which is aligned via DPO and PPO [1] as well as MPT 7B Chat, which is aligned using the HH-RLHF dataset by Anthropic [2, 3]. Hence, we cover models with different alignment strategies, which we view as a strength of our paper. As mentioned in the global comment, we did not include more aligned models like the Llama 3 models as they have been trained to refuse the suit of jailbreaks we are considering, given the fast moving nature of the field. In order to construct a variety of meaningful jailbreak vectors that we can compare across different model families, we deliberately decided to focus on more jailbreakable but aligned models. We are convinced that the consistency of our results across these differently aligned models is helpful to increase the general understanding of jailbreak mechanisms (see reasoning in global comment).

On the behavior of different model sizes:
We agree that there are slight differences between the models in how pronounced the clustering patterns are in the PCA analysis, which we point out in the paper. Next to architectural differences, deviating clustering patterns can also result from the different number of jailbreak types that are considered for the different models. Furthermore, some clusters might be more separable along a third PCA dimension. We added these considerations to the paper (page 5). However, we would like to emphasize that the PCA clustering serves as an exploratory step in the analysis and is not the central focus of this work. The core findings of the paper highlight consistent patterns across the models, demonstrating the transferability of jailbreak steering vectors across different classes. This suggests the presence of a shared underlying mechanism. Additionally, the steering vector analyses reveal stronger patterns for bigger models: Qwen1.5 14B Chat uses SOTA alignment techniques and performs best in these analyses. Hence, we expect that if one could construct jailbreak vectors from powerful jailbreaks that break strongly aligned models, the steering results would be equally or even more pronounced.

On using jailbreak steering vectors as a defense method:
We thank the reviewer for seeing the potential of using our jailbreak steering vectors as a defense method in practice. As outlined in the global response, we agree that more research needs to be conducted to find optimal steering parameters like the intervention strength. This is important because simply subtracting our normalized jailbreak vectors from harmless questions in the MMLU benchmark can lead to more or less pronounced performance decreases (Vicuna 7B: -1.4%points, Vicuna 13B: 0.3%points, Qwen1.5 14B Chat: -16.2 %points, MPT 7B Chat: -2.8%points). However, more sophisticated steering frameworks exist, which tailor the intervention strength to the amount of a feature already present and account for a constant bias in the representation, resulting in less distortion on benign inputs (see e.g. [4]). We leave the development of such a defense framework to future research since the main goal of our paper is to study shared underlying jailbreak mechanisms. We included the benchmark results in our paper, clarified the paper’s main focus, and highlighted areas where further research on defense methods is needed (page 8).

[1] Qwen Team. (2024, February). Introducing Qwen1.5. https://qwenlm.github.io/blog/qwen1.5/

[2] https://huggingface.co/datasets/Anthropic/hh-rlhf

[3] https://www.databricks.com/blog/mpt-7b

[4] Marshall, T., Scherlis, A., & Belrose, N. (2024). Refusal in LLMs is an Affine Function. arXiv preprint arXiv:2411.09003.