Mechanistic Steering of LLMs Reveals Layer-wise Feature Vulnerabilities in Adversarial Settings

TL;DR

This paper investigates the internal layer-wise features of large language models that contribute to adversarial jailbreak vulnerabilities, proposing a method to identify and steer these features for improved safety.

Contribution

It introduces a three-stage pipeline to identify layer-wise feature vulnerabilities in LLMs and demonstrates that mid to later layers are more responsible for unsafe outputs.

Findings

Features in layers 16-25 are more vulnerable to steering.

Mid to later layer feature subgroups are responsible for unsafe outputs.

Targeted feature-level interventions could improve adversarial robustness.

Abstract

Large language models (LLMs) can still be jailbroken into producing harmful outputs despite safety alignment. Existing attacks show this vulnerability, but not the internal mechanisms that cause it. This study asks whether jailbreak success is driven by identifiable internal features rather than prompts alone. We propose a three-stage pipeline for Gemma-2-2B using the BeaverTails dataset. First, we extract concept-aligned tokens from adversarial responses via subspace similarity. Second, we apply three feature-grouping strategies (cluster, hierarchical-linkage, and single-token-driven) to identify SAE feature subgroups for the aligned tokens across all 26 model layers. Third, we steer the model by amplifying the top features from each identified subgroup and measure the change in harmfulness score using a standardized LLM-judge scoring protocol. In all three approaches, the features in the layers [16-25] were relatively more vulnerable to steering. All three methods confirmed that mid to later layer feature subgroups are more responsible for unsafe outputs. These results provide evidence that the jailbreak vulnerability in Gemma-2-2B is localized to feature subgroups of mid to later layers, suggesting that targeted feature-level interventions may offer a more principled path to adversarial robustness than current prompt-level defenses.