One Trigger Token Is Enough: A Defense Strategy for Balancing Safety and Usability in Large Language Models

TL;DR

This paper investigates the safety vulnerabilities of large language models, revealing safety trigger tokens as a key factor, and proposes D-STT, a minimal intervention defense method that effectively reduces harmful outputs while maintaining usability.

Contribution

The paper uncovers safety trigger tokens as a core mechanism behind safety issues in LLMs and introduces D-STT, a simple, single-token defense strategy that enhances safety with minimal impact.

Findings

D-STT significantly reduces harmful outputs across various jailbreak attacks.

D-STT maintains high model usability and incurs negligible response time overhead.

Safety trigger tokens are highly similar across different harmful inputs.

Abstract

Large Language Models (LLMs) have been extensively used across diverse domains, including virtual assistants, automated code generation, and scientific research. However, they remain vulnerable to jailbreak attacks, which manipulate the models into generating harmful responses despite safety alignment. Recent studies have shown that current safety-aligned LLMs undergo shallow safety alignment. In this work, we conduct an in-depth investigation into the underlying mechanism of this phenomenon and reveal that it manifests through learned ''safety trigger tokens'' that activate the model's safety patterns when paired with the specific input. Through both analysis and empirical verification, we further demonstrate the high similarity of the safety trigger tokens across different harmful inputs. Accordingly, we propose D-STT, a simple yet effective defense algorithm that identifies and explicitly decodes safety trigger tokens of the given safety-aligned LLM to activate the model's learned safety patterns. In this process, the safety trigger is constrained to a single token, which effectively preserves model usability by introducing minimum intervention in the decoding process. Extensive experiments across diverse jailbreak attacks and benign prompts demonstrate that D-STT significantly reduces output harmfulness while preserving model usability and incurring negligible response time overhead, outperforming ten baseline methods.