Large language models (LLMs) are vulnerable to adversarial prompt attacks, compromising output reliability and system integrity. To address this, we propose a white-box defense method grounded in residual stream activation analysis. Our approach introduces *residual stream activation fingerprinting*—a novel technique that monitors and statistically visualizes internal Transformer states across layers to precisely detect anomalous activation patterns. We further construct the first high-quality adversarial prompt dataset covering diverse attack types, including jailbreaking and role-playing. Crucially, we pioneer the integration of safety-aware fine-tuning (Safe-FT) with activation analysis, demonstrating its effectiveness in enhancing discriminative feature learning. Experiments show our method achieves over 95% detection accuracy across multiple adversarial scenarios and significantly improves robustness. This work establishes an interpretable, scalable paradigm for LLM adversarial defense, bridging activation-level introspection with practical security enhancement.

The widespread adoption of Large Language Models (LLMs), exemplified by OpenAI's ChatGPT, brings to the forefront the imperative to defend against adversarial threats on these models. These attacks, which manipulate an LLM's output by introducing malicious inputs, undermine the model's integrity and the trust users place in its outputs. In response to this challenge, our paper presents an innovative defensive strategy, given white box access to an LLM, that harnesses residual activation analysis between transformer layers of the LLM. We apply a novel methodology for analyzing distinctive activation patterns in the residual streams for attack prompt classification. We curate multiple datasets to demonstrate how this method of classification has high accuracy across multiple types of attack scenarios, including our newly-created attack dataset. Furthermore, we enhance the model's resilience by integrating safety fine-tuning techniques for LLMs in order to measure its effect on our capability to detect attacks. The results underscore the effectiveness of our approach in enhancing the detection and mitigation of adversarial inputs, advancing the security framework within which LLMs operate.