arxiv_ml 95% Match Research Paper AI Safety Researchers,LLM Developers,Cybersecurity Professionals,AI Ethicists 1 day ago

Adversarial D\'ej\`a Vu: Jailbreak Dictionary Learning for Stronger Generalization to Unseen Attacks

ai-safety › robustness

📄 Abstract

Abstract: Large language models remain vulnerable to jailbreak attacks that bypass safety guardrails to elicit harmful outputs. Defending against novel jailbreaks represents a critical challenge in AI safety. Adversarial training -- designed to make models robust against worst-case perturbations -- has been the dominant paradigm for adversarial robustness. However, due to optimization challenges and difficulties in defining realistic threat models, adversarial training methods often fail on newly developed jailbreaks in practice. This paper proposes a new paradigm for improving robustness against unseen jailbreaks, centered on the Adversarial D\'ej\`a Vu hypothesis: novel jailbreaks are not fundamentally new, but largely recombinations of adversarial skills from previous attacks. We study this hypothesis through a large-scale analysis of 32 attack papers published over two years. Using an automated pipeline, we extract and compress adversarial skills into a sparse dictionary of primitives, with LLMs generating human-readable descriptions. Our analysis reveals that unseen attacks can be effectively explained as sparse compositions of earlier skills, with explanatory power increasing monotonically as skill coverage grows. Guided by this insight, we introduce Adversarial Skill Compositional Training (ASCoT), which trains on diverse compositions of skill primitives rather than isolated attack instances. ASCoT substantially improves robustness to unseen attacks, including multi-turn jailbreaks, while maintaining low over-refusal rates. We also demonstrate that expanding adversarial skill coverage, not just data scale, is key to defending against novel attacks. \textcolor{red}{\textbf{Warning: This paper contains content that may be harmful or offensive in nature.

Key Contributions

Proposes a new paradigm for LLM robustness against unseen jailbreaks based on the 'Adversarial Déjà Vu' hypothesis: novel jailbreaks are recombinations of previous adversarial skills. It uses dictionary learning to compress these skills and improve generalization, addressing the practical failures of traditional adversarial training.

Business Value

Enhances the security and trustworthiness of LLM deployments by making them more resilient to sophisticated attacks, reducing risks associated with harmful or unintended outputs and enabling safer integration into critical applications.

Paper Metadata

Innovation Type

Methodology/Paradigm Shift

Deployment Feasibility

Moderate. The proposed method requires significant analysis and potentially retraining/fine-tuning of models, but offers a path to more robust defenses.

Limitations Addressed

The inability of standard adversarial training methods to generalize to novel jailbreak attacks, which is a critical challenge in AI safety.

Performance Gains

Aims for stronger generalization to unseen attacks compared to traditional adversarial training.

Technical Tags

Jailbreak AttacksLLM SafetyAdversarial TrainingUnseen AttacksDictionary LearningAdversarial SkillsThreat ModelsAI RobustnessHarmful OutputsGeneralization

Research Topics

AI Safety and SecurityLLM VulnerabilitiesAdversarial Machine LearningRobustness to Novel AttacksAI Alignment

Methods & Architectures

Dictionary LearningAutomated Skill ExtractionLarge-scale Analysis of Attack PapersAdversarial Training Paradigm Large Language Models (LLMs)

Applications & Tasks

AI Safety Cybersecurity LLM Deployment LLMs vulnerable to jailbreak attacksDefending against novel jailbreaksFailure of adversarial training on unseen attacksEliciting harmful outputs Improving LLM robustnessGeneralizing to unseen attacksBypassing safety guardrails

Related Fields

Artificial IntelligenceMachine LearningCybersecurityNatural Language ProcessingAI Safety

Keywords

LLM safetyjailbreak attacksadversarial trainingrobustnessunseen attacksdictionary learningAI securityharmful contentgeneralizationthreat modeling

Academic Context

#AI Safety and Security#LLM Vulnerabilities#Adversarial Machine Learning#Robustness to Novel Attacks#AI Alignment

Commercial Potential

Potential Products

More secure LLM APIsAI safety toolkitsRobustness enhancement modules for LLMs

Target Industries

TechnologyCybersecurityCloud ComputingAI Development

Use Case Examples

Protecting customer-facing AI chatbots from malicious promptsSecuring AI systems used in sensitive domains like finance or healthcareDeveloping more resilient AI models for public release

Competitive Edge

Offers a novel theoretical framework and practical approach (dictionary learning of skills) to address the critical AI safety challenge of generalization to unseen adversarial attacks, moving beyond traditional adversarial training limitations.

Resource Requirements

Compute Needs

Requires significant compute for large-scale analysis of attack papers and potentially for training/fine-tuning models with the proposed method.

Data Requirements

Requires a corpus of AI attack papers and potentially datasets for evaluating robustness.

Deployment Constraints

Integration complexity, computational overhead for defense mechanisms.

Scalability

The analysis pipeline for extracting skills can be scaled. The training process scalability depends on the LLM and the defense method.

Regulatory Considerations

AI safety standardsResponsible AI deployment guidelines

Production Readiness

Maturity Level

Research/Development

Patent Potential

Moderate to High, potential for patents on the dictionary learning approach and skill compression techniques for AI safety.

View Full Paper Back to Papers