Defending Large Language Models Against Attacks With Residual Stream Activation Analysis

TL;DR

This paper introduces a residual stream activation analysis method to detect and defend against adversarial attacks on large language models, improving security and robustness.

Contribution

It presents a novel residual activation analysis technique for attack detection and integrates safety fine-tuning to enhance model resilience.

Findings

High accuracy in attack classification across multiple datasets

Effective detection of various attack types including new datasets

Enhanced model robustness through safety fine-tuning

Abstract

The widespread adoption of Large Language Models (LLMs), exemplified by OpenAI's ChatGPT, brings to the forefront the imperative to defend against adversarial threats on these models. These attacks, which manipulate an LLM's output by introducing malicious inputs, undermine the model's integrity and the trust users place in its outputs. In response to this challenge, our paper presents an innovative defensive strategy, given white box access to an LLM, that harnesses residual activation analysis between transformer layers of the LLM. We apply a novel methodology for analyzing distinctive activation patterns in the residual streams for attack prompt classification. We curate multiple datasets to demonstrate how this method of classification has high accuracy across multiple types of attack scenarios, including our newly-created attack dataset. Furthermore, we enhance the model's resilience by integrating safety fine-tuning techniques for LLMs in order to measure its effect on our capability to detect attacks. The results underscore the effectiveness of our approach in enhancing the detection and mitigation of adversarial inputs, advancing the security framework within which LLMs operate.