This work addresses the vulnerability of large language models to jailbreaking attacks, which existing defenses struggle to counter due to the dynamic and evolving nature of adversarial prompts. The authors propose a lightweight, fine-tuning-free defense framework that requires no additional models and is the first to systematically reveal identifiable traces of jailbreak attempts within a model’s internal activations. By analyzing inter-layer hidden activations, modeling tensor structures, and detecting latent spatial patterns, the method leverages only inference-time internal representations to enable architecture-agnostic jailbreak detection and dynamic intervention. Evaluated on LLaMA-3.1-8B, selectively bypassing high-sensitivity layers blocks 78% of jailbreak attempts while preserving 94% of normal behavior, with minimal inference overhead.

Jailbreaking large language models (LLMs) has emerged as a critical security challenge with the widespread deployment of conversational AI systems. Adversarial users exploit these models through carefully crafted prompts to elicit restricted or unsafe outputs, a phenomenon commonly referred to as Jailbreaking. Despite numerous proposed defense mechanisms, attackers continue to develop adaptive prompting strategies, and existing models remain vulnerable. This motivates approaches that examine the internal behavior of LLMs rather than relying solely on prompt-level defenses. In this work, we study jailbreaking from both security and interpretability perspectives by analyzing how internal representations differ between jailbreak and benign prompts. We conduct a systematic layer-wise analysis across multiple open-source models, including GPT-J, LLaMA, Mistral, and the state-space model Mamba, and identify consistent latent-space patterns associated with harmful inputs. We then propose a tensor-based latent representation framework that captures structure in hidden activations and enables lightweight jailbreak detection without model fine-tuning or auxiliary LLM-based detectors. We further demonstrate that the latent signals can be used to actively disrupt jailbreak execution at inference time. On an abliterated LLaMA-3.1-8B model, selectively bypassing high-susceptibility layers blocks 78% of jailbreak attempts while preserving benign behavior on 94% of benign prompts. This intervention operates entirely at inference time and introduces minimal overhead, providing a scalable foundation for achieving stronger coverage by incorporating additional attack distributions or more refined susceptibility thresholds. Our results provide evidence that jailbreak behavior is rooted in identifiable internal structures and suggest a complementary, architecture-agnostic direction for improving LLM security.