๐ค AI Summary
This paper addresses the vulnerability of large language models (LLMs) to adversarial suffix jailbreaking attacks, which compromise safety mechanisms. To this end, we propose an embedding-space-driven, refusal-aware attack method. Our approach introduces refusal-direction regularization to constrain embedding optimization, jointly modeling semantic fluency and safety evasion objectives. Additionally, we design a critic-guided ensemble decoding framework to achieve high-fidelity mapping from continuous embeddings to natural token sequences. Evaluated on multiple open-source LLMs, our method significantly improves attack success rates while reducing query counts and computational overheadโwithout sacrificing textual coherence or naturalness. Experiments demonstrate that embedding-space regularization effectively exposes and quantifies alignment vulnerabilities, offering a novel paradigm for LLM safety evaluation.
๐ Abstract
Large language models (LLMs) achieve impressive performance across diverse tasks yet remain vulnerable to jailbreak attacks that bypass safety mechanisms. We present RAID (Refusal-Aware and Integrated Decoding), a framework that systematically probes these weaknesses by crafting adversarial suffixes that induce restricted content while preserving fluency. RAID relaxes discrete tokens into continuous embeddings and optimizes them with a joint objective that (i) encourages restricted responses, (ii) incorporates a refusal-aware regularizer to steer activations away from refusal directions in embedding space, and (iii) applies a coherence term to maintain semantic plausibility and non-redundancy. After optimization, a critic-guided decoding procedure maps embeddings back to tokens by balancing embedding affinity with language-model likelihood. This integration yields suffixes that are both effective in bypassing defenses and natural in form. Experiments on multiple open-source LLMs show that RAID achieves higher attack success rates with fewer queries and lower computational cost than recent white-box and black-box baselines. These findings highlight the importance of embedding-space regularization for understanding and mitigating LLM jailbreak vulnerabilities.