On Prompt-Driven Safeguarding for Large Language Models

TL;DR

This paper investigates how safety prompts influence large language models' behavior by analyzing their internal representations, and introduces DRO, a method to optimize safety prompts for better safeguarding without harming model performance.

Contribution

The study reveals the representation dynamics of safety prompts and proposes DRO, a novel method to automatically optimize safety prompts based on model representations.

Findings

DRO improves safety prompt effectiveness across multiple LLMs.

Safety prompts move queries toward a refusal direction in representation space.

Models can distinguish harmful from harmless queries without safety prompts.

Abstract

Prepending model inputs with safety prompts is a common practice for safeguarding large language models (LLMs) against queries with harmful intents. However, the underlying working mechanisms of safety prompts have not been unraveled yet, restricting the possibility of automatically optimizing them to improve LLM safety. In this work, we investigate how LLMs' behavior (i.e., complying with or refusing user queries) is affected by safety prompts from the perspective of model representation. We find that in the representation space, the input queries are typically moved by safety prompts in a "higher-refusal" direction, in which models become more prone to refusing to provide assistance, even when the queries are harmless. On the other hand, LLMs are naturally capable of distinguishing harmful and harmless queries without safety prompts. Inspired by these findings, we propose a method for safety prompt optimization, namely DRO (Directed Representation Optimization). Treating a safety prompt as continuous, trainable embeddings, DRO learns to move the queries' representations along or opposite the refusal direction, depending on their harmfulness. Experiments with eight LLMs on out-of-domain and jailbreak benchmarks demonstrate that DRO remarkably improves the safeguarding performance of human-crafted safety prompts, without compromising the models' general performance.