Defending Large Language Models Against Jailbreak Attacks via Layer-specific Editing

TL;DR

This paper introduces Layer-specific Editing (LED), a novel method that enhances large language models' resilience against jailbreak attacks by realigning safety layers within the models, effectively reducing harmful prompt responses.

Contribution

The paper proposes a new defense technique called LED that targets inner safety layers of LLMs, improving robustness against jailbreak prompts without sacrificing performance.

Findings

LED significantly reduces jailbreak success rates across multiple LLMs.

Realigning safety layers improves model safety while maintaining benign prompt performance.

Extensive experiments validate LED's effectiveness and generalizability.

Abstract

Large language models (LLMs) are increasingly being adopted in a wide range of real-world applications. Despite their impressive performance, recent studies have shown that LLMs are vulnerable to deliberately crafted adversarial prompts even when aligned via Reinforcement Learning from Human Feedback or supervised fine-tuning. While existing defense methods focus on either detecting harmful prompts or reducing the likelihood of harmful responses through various means, defending LLMs against jailbreak attacks based on the inner mechanisms of LLMs remains largely unexplored. In this work, we investigate how LLMs response to harmful prompts and propose a novel defense method termed \textbf{L}ayer-specific \textbf{Ed}iting (LED) to enhance the resilience of LLMs against jailbreak attacks. Through LED, we reveal that several critical \textit{safety layers} exist among the early layers of LLMs. We then show that realigning these safety layers (and some selected additional layers) with the decoded safe response from selected target layers can significantly improve the alignment of LLMs against jailbreak attacks. Extensive experiments across various LLMs (e.g., Llama2, Mistral) show the effectiveness of LED, which effectively defends against jailbreak attacks while maintaining performance on benign prompts. Our code is available at \url{https://github.com/ledllm/ledllm}.