ALERT: Zero-shot LLM Jailbreak Detection via Internal Discrepancy Amplification

TL;DR

This paper introduces ALERT, a novel zero-shot jailbreak detection method for large language models that amplifies internal discrepancies to identify safety violations without prior attack templates.

Contribution

The paper proposes a new amplification framework and ALERT detector that effectively identifies zero-shot jailbreaks by leveraging internal feature discrepancies in LLMs.

Findings

ALERT outperforms existing methods across multiple benchmarks.

It achieves at least 10% higher accuracy and F1-score on average.

ALERT reliably ranks among the top two detection methods.

Abstract

Despite rich safety alignment strategies, large language models (LLMs) remain highly susceptible to jailbreak attacks, which compromise safety guardrails and pose serious security risks. Existing detection methods mainly detect jailbreak status relying on jailbreak templates present in the training data. However, few studies address the more realistic and challenging zero-shot jailbreak detection setting, where no jailbreak templates are available during training. This setting better reflects real-world scenarios where new attacks continually emerge and evolve. To address this challenge, we propose a layer-wise, module-wise, and token-wise amplification framework that progressively magnifies internal feature discrepancies between benign and jailbreak prompts. We uncover safety-relevant layers, identify specific modules that inherently encode zero-shot discriminative signals, and localize informative safety tokens. Building upon these insights, we introduce ALERT (Amplification-based Jailbreak Detector), an efficient and effective zero-shot jailbreak detector that introduces two independent yet complementary classifiers on amplified representations. Extensive experiments on three safety benchmarks demonstrate that ALERT achieves consistently strong zero-shot detection performance. Specifically, (i) across all datasets and attack strategies, ALERT reliably ranks among the top two methods, and (ii) it outperforms the second-best baseline by at least 10% in average Accuracy and F1-score, and sometimes by up to 40%.