🤖 AI Summary
This work addresses the critical issue that fine-tuning large language models—even with benign data—can inadvertently degrade their safety capabilities, while existing approaches struggle to efficiently and transferably identify high-risk fine-tuning samples. To tackle this, the authors propose a multi-model consensus-based method that aligns representations within a shared safety semantic subspace. For the first time, they construct cross-model common subspaces distinguishing safe and unsafe semantics, enabling sample-level risk assessment and token-level masking through semantic spectral decomposition and vector projection analysis. The approach eliminates reliance on any single model or tokenizer, substantially enhancing generalization and fine-grained control. Empirical results demonstrate that, without compromising downstream task performance, the method reduces attack success rates (ASR) by 14.6% via sample filtering and by 32.3% through token-level masking, outperforming the strongest baselines.
📝 Abstract
Fine-tuning large language models (LLMs) on domain-specific datasets has become a standard paradigm for adapting LLMs to specialized applications. However, recent work has shown that even fine-tuning on benign task-specific data can substantially weaken the safety capabilities of LLMs. While existing efforts have made progress in identifying data responsible for safety degradation, they usually rely on a single mean vector computed over a specific model with its tokenizer to represent the safety direction, which limits both the effectiveness and transferability of their risk assessment measures. To address these limitations, we propose DataShield, a data assessment framework that identifies risky fine-tuning samples and response segments through consensus subspace alignment over joint safety-critical semantic spaces derived from multiple safety-aligned LLMs. Within these spaces, DataShield extracts consensus safe and unsafe subspaces using semantic spectral decomposition over safe and unsafe data representations. The risk of a data sample or segment is then estimated by measuring its relative alignment with the unsafe and safe subspaces, enabling both sample-level filtering and fine-grained segment-level masking. Compared with state-of-the-art filtering and masking baselines, DataShield reduces ASR by 14.6\% with sample filtering and 32.3\% with segment masking, while preserving downstream utility and avoiding target-model-specific risk computation.