Be Your Own Red Teamer: Safety Alignment via Self-Play and Reflective Experience Replay

TL;DR

This paper introduces Safety Self-Play (SSP), enabling LLMs to autonomously generate and defend against adversarial attacks through self-play and reflective experience replay, leading to improved safety alignment.

Contribution

The paper presents a novel self-play framework with reflective experience replay that allows LLMs to autonomously evolve adversarial attacks and defenses, surpassing static dataset-based methods.

Findings

Outperforms baseline models trained on static adversarial datasets.

Evolves robust defense strategies through autonomous self-play.

Establishes a new benchmark for proactive safety in LLMs.

Abstract

Large Language Models (LLMs) have achieved remarkable capabilities but remain vulnerable to adversarial ``jailbreak'' attacks designed to bypass safety guardrails. Current safety alignment methods depend heavily on static external red teaming, utilizing fixed defense prompts or pre-collected adversarial datasets. This leads to a rigid defense that overfits known patterns and fails to generalize to novel, sophisticated threats. To address this critical limitation, we propose empowering the model to be its own red teamer, capable of achieving autonomous and evolving adversarial attacks. Specifically, we introduce Safety Self- Play (SSP), a system that utilizes a single LLM to act concurrently as both the Attacker (generating jailbreaks) and the Defender (refusing harmful requests) within a unified Reinforcement Learning (RL) loop, dynamically evolving attack strategies to uncover vulnerabilities while simultaneously strengthening defense mechanisms. To ensure the Defender effectively addresses critical safety issues during the self-play, we introduce an advanced Reflective Experience Replay Mechanism, which uses an experience pool accumulated throughout the process. The mechanism employs a Upper Confidence Bound (UCB) sampling strategy to focus on failure cases with low rewards, helping the model learn from past hard mistakes while balancing exploration and exploitation. Extensive experiments demonstrate that our SSP approach autonomously evolves robust defense capabilities, significantly outperforming baselines trained on static adversarial datasets and establishing a new benchmark for proactive safety alignment.