TraceRouter: Robust Safety for Large Foundation Models via Path-Level Intervention

TL;DR

TraceRouter is a path-level intervention framework that enhances the robustness of large foundation models against adversarial attacks by tracing and disconnecting harmful semantic pathways, outperforming existing defenses.

Contribution

It introduces a novel path-level approach to identify and sever causal circuits of malicious semantics, improving robustness without sacrificing utility.

Findings

Significantly improves adversarial robustness over baselines

Effectively isolates malicious features using sparse autoencoders

Maintains high utility while defending against adversarial manipulation

Abstract

Despite their capabilities, large foundation models (LFMs) remain susceptible to adversarial manipulation. Current defenses predominantly rely on the "locality hypothesis", suppressing isolated neurons or features. However, harmful semantics act as distributed, cross-layer circuits, rendering such localized interventions brittle and detrimental to utility. To bridge this gap, we propose \textbf{TraceRouter}, a path-level framework that traces and disconnects the causal propagation circuits of illicit semantics. TraceRouter operates in three stages: (1) it pinpoints a sensitive onset layer by analyzing attention divergence; (2) it leverages sparse autoencoders (SAEs) and differential activation analysis to disentangle and isolate malicious features; and (3) it maps these features to downstream causal pathways via feature influence scores (FIS) derived from zero-out interventions. By selectively suppressing these causal chains, TraceRouter physically severs the flow of harmful information while leaving orthogonal computation routes intact. Extensive experiments demonstrate that TraceRouter significantly outperforms state-of-the-art baselines, achieving a superior trade-off between adversarial robustness and general utility. Our code will be publicly released. WARNING: This paper contains unsafe model responses.