This work addresses the vulnerability of large language models (LLMs) to jailbreak attacks by proposing a novel, lightweight pre-defense mechanism. Existing pre-defense approaches suffer from high false-negative rates due to their reliance solely on user prompts, while post-hoc defenses incur substantial computational overhead. To overcome these limitations, the authors introduce a method that leverages a small language model (SLM) to generate draft responses, which—combined with the original user prompt—are fed into a security detection module. By analyzing the transferability of jailbreak attacks between LLMs and SLMs, the approach integrates speculative inference into safety verification. This strategy significantly improves detection accuracy and reduces both false negatives and computational costs, achieving an efficient and low-latency defense without compromising responsiveness.

Large Language Model (LLM) alignment remains vulnerable to jailbreak attacks that elicit unsafe responses, motivating pre-model and post-model guards. Pre-model guards audit the safety of prompts before invoking target models. However, relying solely on the prompt often leads to high false-negative rates (i.e., jailbreak attacks go undetected). Post-model guards address this issue by auditing both the user prompt and the target model's response. However, they incur a high computational cost, including increased token usage and processing time, because they operate after target model inference. In this paper, we introduce a safeguard design that leverages the transferability of jailbreak attacks to enforce prompt safety before target model inference. We first conduct a systematic study of jailbreak transferability, particularly from LLMs to small language models (SLMs). Through these experiments, we identify key factors influencing transferability. Building on these insights, we observe that responses from smaller draft models reflect the safety implications of those from large target models; \ie given a jailbreak prompt constructed for an LLM, an SLM is likely to be triggered to generate an unaligned response. Based on this observation, our safeguard design leverages speculative inference with SLMs to generate a set of draft responses. It then feeds the original prompt and these drafts into existing guards to predict their safety. We demonstrate that this design reduces the false-negative rate of pre-model guards and offers a low \Efficiency alternative to post-model guards. \textcolor{red}{\bf Notice: This paper contains examples of harmful language.}