🤖 AI Summary
Large language models are vulnerable to adversarial prompts and jailbreaking attacks, yet the precise mechanisms by which their internal reasoning is perturbed remain unclear. This work proposes a causal diagnostic framework grounded in internal computation graphs, which constructs and compares attribution graphs under clean and adversarial prompts to enable structural alignment and path analysis. The approach identifies invariant, suppressed, and emergent computational motifs, revealing a strong association between vulnerability motifs and unsafe model behaviors. It further supports node-level causal interventions. Experiments across multiple open-source large language models and jailbreaking benchmarks demonstrate that targeted interventions significantly enhance model robustness, confirming that structural biases in the computation graph are a key factor enabling successful attacks.
📝 Abstract
Large language models (LLMs) exhibit remarkable capabilities but remain highly vulnerable to adversarial prompts and jailbreak attacks. Existing approaches primarily analyze these failures through input-output behaviors or attribution methods, offering limited insight into how adversarial perturbations alter the model's internal reasoning. Consequently, the mechanisms underlying unsafe or incorrect behaviors remain poorly understood. We introduce a mechanistic framework for diagnosing LLM vulnerabilities using paired internal computation graphs, which represent prompt-specific inference as structured causal interactions among latent features. By constructing and aligning computation graphs for clean and attacked prompts, we reveal that adversarial attacks induce systematic transformations of internal reasoning, including suppression of safety-relevant components, emergence of attack-specific features, and rerouting of computation paths. Building on this representation, we propose a unified framework that (i) decomposes computation into invariant, suppressed, and emergent structures, (ii) identifies recurring vulnerability motifs associated with failure modes, and (iii) performs causal interventions on nodes, paths, and subgraphs to directly evaluate their contributions to attack success. This enables a transition from descriptive attribution to causal diagnosis of model failures. Experiments across multiple open-source LLMs and diverse adversarial and jailbreak benchmarks demonstrate that structural deviations in internal computation graphs strongly correlate with unsafe behaviors. Furthermore, targeted interventions on identified vulnerability motifs improve model robustness, establishing internal computation graphs as a principled foundation for understanding, diagnosing, and mitigating LLM vulnerabilities.