SmoothLLM provides certified defenses against jailbreak attacks but relies on the strong and practically unrealistic “k-instability” assumption, undermining the credibility of its safety guarantees. Method: We propose a more realistic probabilistic safety definition—(k, ε)-instability—requiring that model outputs remain stable with probability at least 1−ε under up to k perturbations. Building upon this, we develop a data-driven framework to estimate certified safety lower bounds, integrating empirical attack success rate modeling with SmoothLLM’s smoothing mechanism. The framework supports robustness certification against mainstream gradient- and semantics-based jailbreak attacks, including GCG and PAIR. Contribution/Results: Our approach ensures theoretical rigor while maintaining deployment feasibility. Evaluated across multiple LLMs and attack scenarios, it significantly improves both certification coverage and robustness, delivering verifiable, practical security guarantees for large language models.

The SmoothLLM defense provides a certification guarantee against jailbreaking attacks, but it relies on a strict `k-unstable' assumption that rarely holds in practice. This strong assumption can limit the trustworthiness of the provided safety certificate. In this work, we address this limitation by introducing a more realistic probabilistic framework, `(k, $varepsilon$)-unstable,' to certify defenses against diverse jailbreaking attacks, from gradient-based (GCG) to semantic (PAIR). We derive a new, data-informed lower bound on SmoothLLM's defense probability by incorporating empirical models of attack success, providing a more trustworthy and practical safety certificate. By introducing the notion of (k, $varepsilon$)-unstable, our framework provides practitioners with actionable safety guarantees, enabling them to set certification thresholds that better reflect the real-world behavior of LLMs. Ultimately, this work contributes a practical and theoretically-grounded mechanism to make LLMs more resistant to the exploitation of their safety alignments, a critical challenge in secure AI deployment.