Understanding and Defending VLM Jailbreaks via Jailbreak-Related Representation Shift

TL;DR

This paper investigates how visual inputs cause large vision-language models to shift representations toward jailbreak states, leading to safety failures, and proposes a defense method that removes this shift to improve safety.

Contribution

The paper introduces the concept of jailbreak-related representation shift, identifies a specific shift direction, and proposes a defense method to mitigate jailbreaks in VLMs.

Findings

Jailbreak samples form a distinct, separable internal state.

The identified jailbreak shift reliably characterizes jailbreak behavior.

The proposed defense method effectively reduces jailbreak success while maintaining benign performance.

Abstract

Large vision-language models (VLMs) often exhibit weakened safety alignment with the integration of the visual modality. Even when text prompts contain explicit harmful intent, adding an image can substantially increase jailbreak success rates. In this paper, we observe that VLMs can clearly distinguish benign inputs from harmful ones in their representation space. Moreover, even among harmful inputs, jailbreak samples form a distinct internal state that is separable from refusal samples. These observations suggest that jailbreaks do not arise from a failure to recognize harmful intent. Instead, the visual modality shifts representations toward a specific jailbreak state, thereby leading to a failure to trigger refusal. To quantify this transition, we identify a jailbreak direction and define the jailbreak-related shift as the component of the image-induced representation shift along this direction. Our analysis shows that the jailbreak-related shift reliably characterizes jailbreak behavior, providing a unified explanation for diverse jailbreak scenarios. Finally, we propose a defense method that enhances VLM safety by removing the jailbreak-related shift (JRS-Rem) at inference time. Experiments show that JRS-Rem provides strong defense across multiple scenarios while preserving performance on benign tasks.