ALMGuard: Safety Shortcuts and Where to Find Them as Guardrails for Audio–Language Models

Thank you for the insightful and helpful comments. We are very pleased that the reviewer acknowledged the robustness of our defense and the novelty of our method, and provided an overall positive evaluation. Below, we will try our best to address all of your concerns.

Weaknesses

Impact of training data scale

We chose 50 as the training dataset size based on two considerations:
(1) Since AdvBench-Audio contains a total of 520 samples, we think that using 50 for training strikes a reasonable balance. A larger size would make the training set proportionally too large.
(2) Our experiments show that using 50 training samples is sufficient to achieve good performance, for both seen and unseen attacks.

To further evaluate the impact of training data size, we conducted additional experiments with sizes of 25 and 75, and compared them to the 50-sample setting. Using Qwen2-Audio as the target model, we evaluated the jailbreak success rate (SRoA). The results confirm the scalability of our method: as the training set size increases, the average SRoA decreases, indicating improved defense performance.

An ablation evaluating the variance across different training subsets

In fact, each of our experiments was conducted on a randomly selected set of 50 audio samples, so the results reported in the paper already reflect the robustness of our method across different data subsets. To more clearly demonstrate this conclusion, we conducted additional experiments, each time randomly selecting 50 samples and using Qwen2.5-Omni as the target model. We tested one seen attack (AdvWave) and three unseen attacks (Gupta et al., ICA, and PAP-Audio). The results show that our method performs consistently across different subsets and exhibits strong generalization ability.

Questions

Comparing the learned M-GSM masks

In Figure 5 of our paper, we provide a visual comparison of the M-GSMs across different models. The results show that different models exhibit similar mask patterns, which we believe indicates that the globally computed mask captures stable and general features, demonstrating robustness across models.

The response of the Audio-CoT model

We really appreciate this interesting and insightful question.

On the one hand, increasing inference-time computation may intuitively enhance robustness against jailbreaks, as also reflected in a recent study by OpenAI [1]. On the other hand, for large-scale industrial models with stronger reasoning capabilities and larger knowledge bases, this may also introduce more “opportunities to err,” potentially leading to unsafe behaviors due to overthinking or amplifying subtle unsafe patterns. This phenomenon has been highlighted in a recent study by Anthropic [2].

Given that Audio-CoT models are still in their early stage of development (with only a few studies extending CoT to 7B-level audio models [3][4]), currently it might be difficult to draw robust and stable conclusions about their behavior with respect to safety.

We have also considered how SAP activates safety shortcuts in Audio-CoT models. We think the key lies in triggering the model’s inclination to reason about safety-related issues (such as jailbreaks) during inference, thereby guiding it toward safer behavior patterns.

[1] Zaremba, Wojciech, et al. "Trading inference-time compute for adversarial robustness." arXiv preprint arXiv:2501.18841 (2025).

[2] Gema, Aryo Pradipta, et al. "Inverse Scaling in Test-Time Compute." arXiv preprint arXiv:2507.14417 (2025).

[3] Ma, Ziyang, et al. "Audio-cot: Exploring chain-of-thought reasoning in large audio language model." arXiv preprint arXiv:2501.07246 (2025).

[4] Xie, Zhifei, et al. "Audio-reasoner: Improving reasoning capability in large audio language models." arXiv preprint arXiv:2503.02318 (2025).

---

We hope the above response has addressed your concern. If there are any remaining questions, we would be happy to provide further clarification during the discussion phase.

Thank you for the meaningful and helpful review. We are pleased to see that the reviewer acknowledges the experimental evaluation and the theoretical analyses in the paper, and we appreciate the overall positive evaluation. We will try to address all of your concerns and give corresponding point-by-point responses.

limitations against the adaptive attack

This is indeed an insightful suggestion that we did not consider in our initial experiments. To demonstrate the cost required to defend against a stronger adversary, we consider an attacker with the strongest possible capability—one who has full knowledge of our defense mechanism and can perform white-box optimization on top of our perturbation (SAP), using the AdvWave attack method. We vary the value of k and evaluate both the availability of the model (measured by WER) and the robustness against the adaptive attack (measured by SRoA). The attack is conducted on 100 randomly selected samples, and the results are presented in the table below.

The results indicate that by tuning k, we can achieve better defense performance against stronger attackers at the cost of some availability. For example, when k = 48, the defense against AdvWave is limited, with SRoA still reaching 82%. However, increasing k to 96 significantly enhances the defense, reducing SRoA to 34%, though it comes at the cost of higher WER, which increases from 8.70% to 25.76%.

These findings imply that, during real-world deployment, it is possible to make deliberate trade-offs between defense robustness and model availability, depending on the specific requirements and operational context.

over-the-air evaluation

Over-the-air (OTA) scenarios are indeed commonly considered in the audio domain. However, OTA is typically a major concern for the attacker, since the adversarial audio must propagate through the physical environment during real-world attacks. As a result, the attacker must account for distortions introduced by environmental noise and transmission loss, and a strong attack should exhibit robustness to such physical spaces.

In contrast, for defense methods like ours, which are deployed at the model's input end, the perturbation is not transmitted through the air. Instead, it is applied in the digital domain after the audio has been captured. Therefore, our SAP only needs to ensure universality, i.e., the ability to activate the model's safety shortcuts effectively on any received audio input, thus maintaining its defensive effectiveness.

That said, to demonstrate the real-world effectiveness of our method against physically realized jailbreak attacks, we conducted over-the-air experiments using AdvWave (a representative acoustic-based attack) and PAP-Audio (an unseen semantic-based attack). For each attack, we randomly selected 10 jailbreak audio samples, played them through a speaker in a 4m × 4m × 3m room, and recorded them using a microphone placed 50 cm away. The results, measured by SRoA, are shown in the table below. The results confirm that our method remains effective even against jailbreak audio transmitted in real-world physical environments.

We hope our responses have adequately addressed the reviewer’s concerns. We would be happy to answer any further questions during the discussion phase.

We are very grateful for your insightful and valuable comments. We appreciate your recognition of the clarity of our paper and method. We also want to thank you for your interest in the idea of the mask component of our approach. We will try our best to address all your concerns in detail.

---

Adversarial jailbreak on our defense

We acknowledge the reviewer’s point and clarify that Section 5.4 of our paper includes adaptive attack experiments, where we consider a strongest-case attacker with full knowledge of our defense and the ability to perform white-box optimization on top of our perturbation (SAP). The results show that although the defense effectiveness is significantly degraded under this adaptive setting, our method still outperforms all existing baselines.

Furthermore, we conduct new additional experiments demonstrating that our method can achieve stronger robustness against adaptive attacks by sacrificing a certain degree of model utility. Specifically, by adjusting k from 48 to 96, we are able to reduce the SRoA from 82% to 34%.

Why ASR as benign task

1. ASR is currently the most important and fundamental pre-training task for the speech understanding capability of Audio Language Models (ALMs). For example, in the case of Qwen-Audio, ASR-related audio accounts for more than 35% of all data across the 17 pre-training tasks.

2. In our evaluation of model utility, LibriSpeech is used to assess performance on the ASR task, while AIR-Bench is used to evaluate performance on speech-based QA. The results from both benchmarks show consistent trends—performance degradation in ASR corresponds to similar degradation in speech QA.

3. AudioFlamingo-2 is an ALM that focuses on sound event understanding (e.g., identifying the source of a car horn sound) rather than speech understanding. This falls outside the scope of our discussion, which primarily considers jailbreak issues triggered by the linguistic content of audio, and focuses on the speech interaction capability of the model. However, we also agree that non-speech acoustic events are also widespread in real-world scenarios, and safety issues arising from such inputs are worth exploring in the future work.

As a supplementary evaluation of benign performance, we further assess our method on non-speech audio types from AIR-Bench-Chat, including sound, music, speech mixed with sound, and speech mixed with music, totaling 1,400 audio samples. The results under k = 48 are shown in the table below, which demonstrates that the impact of our method on a broader range of audio tasks remains within an acceptable range.

Regarding per-step mask updates

As part of our design motivation, we intentionally use a fixed mask to ensure that the SAP is universal and input-agnostic, enabling broad generalization and efficient deployment.

To achieve this, we compute the average gradient over the entire batch before the optimization process begins, allowing us to obtain a relatively stable mask. As shown in Figure 5 of the paper, this mask remains largely consistent across different models.

Moreover, if the mask is updated at every iteration step, it would become input-dependent, which contradicts our goal of generality. Additionally, frequent changes in the mask values can lead to instability in the loss convergence during optimization.

Regarding the role of masking and stronger constraints

As shown in Table 3 of the paper, the effectiveness of M-GSM is well supported. In the w/o M-GSM column, we observe that its defense performance is comparable to the full ALMGuard, with average SRoA of 14.4% and 16.6% respectively. However, its usability drops significantly compared to ALMGuard—for example, the WER reaches 26.85%, which is 20% higher than the no-defense baseline (6.85%), whereas ALMGuard achieves a WER of 8.70%, which is very close to the no-defense case. This clearly demonstrates that M-GSM effectively mitigates the utility degradation caused by SAP while maintaining strong defense performance.

In our early experiments, before adopting the M-GSM technique, we also explored traditional $l_p$-norm constraints commonly used in audio adversarial attack and defense domain. We attempted to preserve model utility by restricting the perturbation magnitude under a predefined ε. However, although tuning ε allowed us to obtain comparable defense performance, the model usability remained far from satisfactory and could not meet the expected quality, as shown in the table below.

Theoretical contribution

While our theoretical analysis is based on standard generalization tools such as Hoeffding’s inequality, it provides formal justification for two key properties of ALMGuard: (1) the ability of SAPs to generalize from seen to unseen jailbreaks, and (2) the bounded impact on benign inputs. These properties are critical for the practical deployment of defenses and, to the best of our knowledge, have not been explicitly analyzed in prior work on ALM jailbreak mitigation. We therefore consider the theoretical section to be a useful and complementary component to our empirical results.

In addition, the theoretical analysis also serves as the underlying principle for our empirical method, offering insights into how the hyperparameters should be tuned. This is reflected in two aspects: (1) Regarding the generalization of SAP, the bound $\mathcal{R}(\delta) \leq \widehat{\mathcal{R}}(\delta) + \sqrt{ \frac{ \ln (2/\alpha) }{ 2n } }$ suggests that a larger training set (i.e., larger n) can lead to smaller generalization error; (2) Regarding the impact on benign tasks, the bound $|\Delta \mathcal{L}_{\mathrm{ALM}}| \leq M$ indicates that decreasing the value of k can reduce the degradation in model performance. These insights can provide useful guidance for practical deployment of our method.

Note: $M = {G_{\max }}{L_{{\rm{enc}}}}{d_k}\epsilon$.

---

We hope the above responses have addressed your concerns. We would be happy to answer any further questions during the discussion phase.

Thank you for your constructive comments and suggestions. We are pleased to see that the reviewer found our paper well-written, with comprehensive experiments and meaningful theoretical support. We sincerely appreciate the positive evaluation.

We appreciate your suggestion that more defense baselines can make our experiments more solid. In response to your suggestion, we conducted and included a comparison with AudioPure, and the results are shown in the following table. The experiment result shows that while AudioPure achieves comparable defense performance with ALMGuard, it causes a significant degradation in model availability. For example, the WER increases from 6.85% to 21.72%.

We think this is primarily due to the diffusion-based audio reconstruction mechanism used in AudioPure. Although this process effectively removes adversarial suffixes and perturbations introduced by the attacker, the reconstructed audio is filled with noticeable noise, which severely affects the model's ability to process and understand the original content.

AudioPure performs well against acoustic-based attacks, which is intuitive since the audio reconstruction process disrupts adversarial acoustic features. Its overall defense effectiveness against acoustic-based attacks is comparable to ALMGuard. For attacks in the form of adversarial prefixes or suffixes (e.g., AdvWave, Gupta et al.), their performance is weaker than that of ALMGuard. For perturbation-based attacks (e.g., AdvWave-P), it slightly outperforms ALMGuard.

As for semantic-based attacks (such as PAIR-Audio and PAP-Audio), the attack effectiveness primarily stems from the linguistic content (i.e., semantics) of the audio. AudioPure's effectiveness against such attacks may be attributed to the noise introduced during the reconstruction process, which likely distorts the semantic information in the audio and makes it harder for the model to comprehend. This is also consistent with its large negative impact on model performance for benign inputs.

It is also worth mentioning that AudioPure was originally proposed for the speech command classification task, which is a classification task involving short audio commands consisting of only a few words and typically lasting less than one second. In contrast, our setting involves long-form audio inputs, often ranging from ten to thirty seconds in duration. In such cases, the impact of noise becomes much more severe. In contrast, our method strikes a favorable balance between robustness and model availability.

We hope the above response can address your concern, and we would be happy to answer your further questions during the discussion phase.