Self-Guard: Empower the LLM to Safeguard Itself

TL;DR

Self-Guard is a novel method that enables LLMs to autonomously detect and prevent harmful content, effectively defending against jailbreak attacks without degrading performance or causing over-sensitivity.

Contribution

The paper introduces Self-Guard, a two-stage approach that combines content assessment and self-detection, improving robustness against jailbreaks while maintaining model performance.

Findings

Self-Guard effectively defends against jailbreak attacks.

It does not degrade LLM performance after safety training.

It mitigates over-sensitivity issues in LLMs.

Abstract

The jailbreak attack can bypass the safety measures of a Large Language Model (LLM), generating harmful content. This misuse of LLM has led to negative societal consequences. Currently, there are two main approaches to address jailbreak attacks: safety training and safeguards. Safety training focuses on further training LLM to enhance its safety. On the other hand, safeguards involve implementing external models or filters to prevent harmful outputs. However, safety training has constraints in its ability to adapt to new attack types and often leads to a drop in model performance. Safeguards have proven to be of limited help. To tackle these issues, we propose a novel approach called Self-Guard, which combines the strengths of both safety methods. Self-Guard includes two stages. In the first stage, we enhance the model's ability to assess harmful content, and in the second stage, we instruct the model to consistently perform harmful content detection on its own responses. The experiment has demonstrated that Self-Guard is robust against jailbreak attacks. In the bad case analysis, we find that LLM occasionally provides harmless responses to harmful queries. Additionally, we evaluated the general capabilities of the LLM before and after safety training, providing evidence that Self-Guard does not result in the LLM's performance degradation. In sensitivity tests, Self-Guard not only avoids inducing over-sensitivity in LLM but also can even mitigate this issue.