RAID: Refusal-Aware and Integrated Decoding for Jailbreaking LLMs

๐Ÿ“… 2025-10-14
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF

career value

203K/year
๐Ÿค– AI Summary
This paper addresses the vulnerability of large language models (LLMs) to adversarial suffix jailbreaking attacks, which compromise safety mechanisms. To this end, we propose an embedding-space-driven, refusal-aware attack method. Our approach introduces refusal-direction regularization to constrain embedding optimization, jointly modeling semantic fluency and safety evasion objectives. Additionally, we design a critic-guided ensemble decoding framework to achieve high-fidelity mapping from continuous embeddings to natural token sequences. Evaluated on multiple open-source LLMs, our method significantly improves attack success rates while reducing query counts and computational overheadโ€”without sacrificing textual coherence or naturalness. Experiments demonstrate that embedding-space regularization effectively exposes and quantifies alignment vulnerabilities, offering a novel paradigm for LLM safety evaluation.

Technology Category

Application Category

๐Ÿ“ Abstract
Large language models (LLMs) achieve impressive performance across diverse tasks yet remain vulnerable to jailbreak attacks that bypass safety mechanisms. We present RAID (Refusal-Aware and Integrated Decoding), a framework that systematically probes these weaknesses by crafting adversarial suffixes that induce restricted content while preserving fluency. RAID relaxes discrete tokens into continuous embeddings and optimizes them with a joint objective that (i) encourages restricted responses, (ii) incorporates a refusal-aware regularizer to steer activations away from refusal directions in embedding space, and (iii) applies a coherence term to maintain semantic plausibility and non-redundancy. After optimization, a critic-guided decoding procedure maps embeddings back to tokens by balancing embedding affinity with language-model likelihood. This integration yields suffixes that are both effective in bypassing defenses and natural in form. Experiments on multiple open-source LLMs show that RAID achieves higher attack success rates with fewer queries and lower computational cost than recent white-box and black-box baselines. These findings highlight the importance of embedding-space regularization for understanding and mitigating LLM jailbreak vulnerabilities.
Problem

Research questions and friction points this paper is trying to address.

Systematically probes LLM weaknesses through adversarial suffix generation
Optimizes embeddings to bypass safety mechanisms while maintaining fluency
Achieves higher jailbreak success with fewer queries and lower cost
Innovation

Methods, ideas, or system contributions that make the work stand out.

Optimizes continuous embeddings with joint objectives
Uses refusal-aware regularization to avoid refusal directions
Applies critic-guided decoding to balance embedding affinity
๐Ÿ”Ž Similar Papers