Understanding Jailbreak Success: A Study of Latent Space Dynamics in Large Language Models

TL;DR

This paper investigates how different jailbreak techniques bypass safety measures in large language models by analyzing internal activations, revealing common mechanisms and guiding more robust defenses.

Contribution

It uncovers a shared internal mechanism across diverse jailbreaks and demonstrates how effective jailbreaks reduce perceived harmfulness, informing improved safety strategies.

Findings

A single jailbreak vector can mitigate effectiveness across different jailbreak types.

Effective jailbreaks decrease the model's perception of prompt harmfulness.

Different jailbreaks may operate via similar internal mechanisms.

Abstract

Conversational large language models are trained to refuse to answer harmful questions. However, emergent jailbreaking techniques can still elicit unsafe outputs, presenting an ongoing challenge for model alignment. To better understand how different jailbreak types circumvent safeguards, this paper analyses model activations on different jailbreak inputs. We find that it is possible to extract a jailbreak vector from a single class of jailbreaks that works to mitigate jailbreak effectiveness from other semantically-dissimilar classes. This may indicate that different kinds of effective jailbreaks operate via a similar internal mechanism. We investigate a potential common mechanism of harmfulness feature suppression, and find evidence that effective jailbreaks noticeably reduce a model's perception of prompt harmfulness. These findings offer actionable insights for developing more robust jailbreak countermeasures and lay the groundwork for a deeper, mechanistic understanding of jailbreak dynamics in language models.