Defending against Jailbreak through Early Exit Generation of Large Language Models

TL;DR

This paper introduces EEG-Defender, a novel early exit detection method for large language models that effectively reduces jailbreak success rates by identifying malicious prompts early in the generation process.

Contribution

The paper proposes leveraging early transformer outputs to detect malicious prompts, significantly improving jailbreak mitigation with minimal utility loss.

Findings

EEG-Defender reduces attack success rate by approximately 85%.

It outperforms state-of-the-art methods, which achieve around 50% success rate.

The approach maintains high utility of LLMs while enhancing security.

Abstract

Large Language Models (LLMs) are increasingly attracting attention in various applications. Nonetheless, there is a growing concern as some users attempt to exploit these models for malicious purposes, including the synthesis of controlled substances and the propagation of disinformation. In an effort to mitigate such risks, the concept of "Alignment" technology has been developed. However, recent studies indicate that this alignment can be undermined using sophisticated prompt engineering or adversarial suffixes, a technique known as "Jailbreak." Our research takes cues from the human-like generate process of LLMs. We identify that while jailbreaking prompts may yield output logits similar to benign prompts, their initial embeddings within the model's latent space tend to be more analogous to those of malicious prompts. Leveraging this finding, we propose utilizing the early transformer outputs of LLMs as a means to detect malicious inputs, and terminate the generation immediately. We introduce a simple yet significant defense approach called EEG-Defender for LLMs. We conduct comprehensive experiments on ten jailbreak methods across three models. Our results demonstrate that EEG-Defender is capable of reducing the Attack Success Rate (ASR) by a significant margin, roughly 85% in comparison with 50% for the present SOTAs, with minimal impact on the utility of LLMs.