Closing the Activation-Cone Blind Spot: Response-Time Probing and Unified Defense

πŸ“… 2026-06-28
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This work addresses a critical structural blind spot in existing inference-time safety defenses against prefilling attacks. Through a systematic evaluation of prevailing large language model defense paradigms, the study revealsβ€” for the first timeβ€”the failure mechanism of prompt-time alignment techniques such as activation steering when confronted with such attacks. To counter this vulnerability, the authors propose a unified response-time defense framework that employs linear probes to detect malicious hidden states and intervenes at the generation of the first output token, integrating null-subspace guidance with diverse negative-sample training. Evaluated across seven models, the method reduces prefilling attack success rates to 0 out of 40 while maintaining a 0% false positive rate on benign inputs. When orthogonally combined with AlphaSteer, it achieves comprehensive defense success rates of 0.983 and 0.994 on Mistral and Llama, respectively.
πŸ“ Abstract
Inference-time safety methods for large language models have proliferated, yet no systematic comparison exists. We evaluate five defense paradigms (no defense, static steering, CAST, AlphaSteer, probe-gated) across seven instruction-tuned models (7-31B) and five attack types (GCG, AutoDAN, DeepInception, prefilling, intent laundering). Our central finding: prompt-time activation defenses are structurally blind to prefilling attacks. AlphaSteer achieves 0% attack success on GCG, AutoDAN, and intent laundering but 50% on prefilling. We prove a corollary: any defense that gates intervention on a single layer's activation alignment with a benign reference (cone, subspace, or null-space) is blind to attacks that craft activations to lie inside that reference, whether checked at prompt time or per token. As its constructive contrapositive we introduce response-time probing: a linear probe on the model's hidden state at the first generated tokens, with AUROC 0.97-1.00 across all seven models. Combined with a halt, it cuts prefilling attack success to 0/40 on every model with 0% benign false positives, outperforming Llama Guard 3. Cross-template generalisation depends on probe depth, so we scope the claim to the canonical prefilling-template family. Composing the response-halt with AlphaSteer's null-space steering gives an orthogonal split (the halt catches prefilling, AlphaSteer catches semantic attacks), reaching defense success 0.983 on Mistral and 0.994 on Llama and dominating both components. We further show MMLU fails to capture steering's true utility cost, which appears as behavioral hedging rather than factual loss, and that diverse negative training sets cut probe false positives from 80-100% to near zero. Code, attacks, per-sample results, and the judge prompt are released.
Problem

Research questions and friction points this paper is trying to address.

prefilling attacks
activation-cone blind spot
inference-time safety
large language models
defense evaluation
Innovation

Methods, ideas, or system contributions that make the work stand out.

response-time probing
prefilling attacks
activation-cone blind spot
inference-time defense
orthogonal defense composition
πŸ”Ž Similar Papers
No similar papers found.