Robust Harmful Features Under Jailbreak Attacks: Mechanistic Evidence from Attention Head Specialization in Large Language Models

πŸ“… 2026-06-26
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This study investigates how jailbreaking attacks circumvent safety alignment mechanisms in large language models. Through functional analysis of attention head specialization, the work identifies two critical types of heads for the first time: Adversarially Vulnerable Heads (ACHs) and Safety-Aligned Heads (SAHs). The findings reveal that jailbreak attacks do not erase safety-related features; instead, they selectively suppress ACHs in early layers via template-specific token manipulation, while SAHs in middle layers remain robustly activated. Leveraging attention head ablation, token-level attribution, and a training-free activation probing method, the study uncovers a phenomenon termed β€œrobust harmful features.” Notably, high-robustness jailbreak detection can be achieved solely by monitoring the persistent activation of SAHs, matching the performance of current trainable detectors.
πŸ“ Abstract
Jailbreak attacks bypass LLM safety alignment, yet their mechanisms remain poorly understood. We provide evidence that attacks do not comprehensively eliminate safety features, but instead selectively suppress specific attention heads. We identify two functionally differentiated types: Adversarially Compromised Heads (ACHs) concentrated in early layers, which are suppressed under attacks, and Safety-Aligned Heads (SAHs) in mid-layers, which maintain robust activations even when attacks succeed. Ablation studies support the causal role of ACHs and the contribution of SAHs to robust activations: suppressing a small number of ACHs is sufficient to induce jailbreak-like behavior on normally refused inputs, while removing SAHs substantially weakens mid-layer safety activations. Token-level attribution further shows that ACH suppression is driven specifically by attack-template tokens, providing a mechanistic account of why attacks can bypass refusal decisions through ACH suppression while leaving internal safety signals sustained by SAHs -- a phenomenon we term Robust Harmful Features. To validate the practical significance of this robustness, we show that simply reading these persistent activations -- without any training -- yields competitive aggregate detection performance with strong adversarial robustness.
Problem

Research questions and friction points this paper is trying to address.

jailbreak attacks
safety alignment
attention heads
robust harmful features
large language models
Innovation

Methods, ideas, or system contributions that make the work stand out.

attention head specialization
jailbreak attacks
robust harmful features
safety alignment
mechanistic interpretability
πŸ”Ž Similar Papers
2024-01-12International Conference on Computational LinguisticsCitations: 11