Search papers, labs, and topics across Lattice.
This paper investigates jailbreaking attacks on LLMs by analyzing differences in internal representations between jailbreak and benign prompts across multiple open-source models (GPT-J, LLaMA, Mistral, Mamba). They propose a tensor-based latent representation framework to capture structure in hidden activations, enabling jailbreak detection without fine-tuning or auxiliary LLMs. By selectively bypassing high-susceptibility layers in LLaMA-3.1-8B, the method blocks 78% of jailbreak attempts while preserving 94% of benign behavior, demonstrating the potential for inference-time interventions.
LLMs betray their jailbreaking susceptibility in their hidden activations, allowing for lightweight detection and even real-time disruption of attacks.
Jailbreaking large language models (LLMs) has emerged as a critical security challenge with the widespread deployment of conversational AI systems. Adversarial users exploit these models through carefully crafted prompts to elicit restricted or unsafe outputs, a phenomenon commonly referred to as Jailbreaking. Despite numerous proposed defense mechanisms, attackers continue to develop adaptive prompting strategies, and existing models remain vulnerable. This motivates approaches that examine the internal behavior of LLMs rather than relying solely on prompt-level defenses. In this work, we study jailbreaking from both security and interpretability perspectives by analyzing how internal representations differ between jailbreak and benign prompts. We conduct a systematic layer-wise analysis across multiple open-source models, including GPT-J, LLaMA, Mistral, and the state-space model Mamba, and identify consistent latent-space patterns associated with harmful inputs. We then propose a tensor-based latent representation framework that captures structure in hidden activations and enables lightweight jailbreak detection without model fine-tuning or auxiliary LLM-based detectors. We further demonstrate that the latent signals can be used to actively disrupt jailbreak execution at inference time. On an abliterated LLaMA-3.1-8B model, selectively bypassing high-susceptibility layers blocks 78% of jailbreak attempts while preserving benign behavior on 94% of benign prompts. This intervention operates entirely at inference time and introduces minimal overhead, providing a scalable foundation for achieving stronger coverage by incorporating additional attack distributions or more refined susceptibility thresholds. Our results provide evidence that jailbreak behavior is rooted in identifiable internal structures and suggest a complementary, architecture-agnostic direction for improving LLM security.
