Causal Front-Door Adjustment for Robust Jailbreak Attacks on LLMs

TL;DR

This paper introduces CFA², a causal framework leveraging Pearl's Front-Door Adjustment to effectively jailbreak LLMs by isolating core task intent and overcoming safety mechanisms.

Contribution

It proposes a novel causal attack method using Front-Door Adjustment and Sparse Autoencoders to improve jailbreak success rates on LLMs.

Findings

Achieves state-of-the-art attack success rates

Provides mechanistic interpretation of jailbreaking

Reduces inference complexity significantly

Abstract

Safety alignment mechanisms in Large Language Models (LLMs) often operate as latent internal states, obscuring the model's inherent capabilities. Building on this observation, we model the safety mechanism as an unobserved confounder from a causal perspective. Then, we propose the Causal Front-Door Adjustment Attack (CFA{$^2$}) to jailbreak LLM, which is a framework that leverages Pearl's Front-Door Criterion to sever the confounding associations for robust jailbreaking. Specifically, we employ Sparse Autoencoders (SAEs) to physically strip defense-related features, isolating the core task intent. We further reduce computationally expensive marginalization to a deterministic intervention with low inference complexity. Experiments demonstrate that CFA{$^2$} achieves state-of-the-art attack success rates while offering a mechanistic interpretation of the jailbreaking process.