菜单

关于 🐙 GitHub
arXiv 提交日期: 2026-06-28
📄 Abstract - Closing the Activation-Cone Blind Spot: Response-Time Probing and Unified Defense

Inference-time safety methods for large language models have proliferated, yet no systematic comparison exists. We evaluate five defense paradigms (no defense, static steering, CAST, AlphaSteer, probe-gated) across seven instruction-tuned models (7-31B) and five attack types (GCG, AutoDAN, DeepInception, prefilling, intent laundering). Our central finding: prompt-time activation defenses are structurally blind to prefilling attacks. AlphaSteer achieves 0% attack success on GCG, AutoDAN, and intent laundering but 50% on prefilling. We prove a corollary: any defense that gates intervention on a single layer's activation alignment with a benign reference (cone, subspace, or null-space) is blind to attacks that craft activations to lie inside that reference, whether checked at prompt time or per token. As its constructive contrapositive we introduce response-time probing: a linear probe on the model's hidden state at the first generated tokens, with AUROC 0.97-1.00 across all seven models. Combined with a halt, it cuts prefilling attack success to 0/40 on every model with 0% benign false positives, outperforming Llama Guard 3. Cross-template generalisation depends on probe depth, so we scope the claim to the canonical prefilling-template family. Composing the response-halt with AlphaSteer's null-space steering gives an orthogonal split (the halt catches prefilling, AlphaSteer catches semantic attacks), reaching defense success 0.983 on Mistral and 0.994 on Llama and dominating both components. We further show MMLU fails to capture steering's true utility cost, which appears as behavioral hedging rather than factual loss, and that diverse negative training sets cut probe false positives from 80-100% to near zero. Code, attacks, per-sample results, and the judge prompt are released.

顶级标签: llm model evaluation systems
详细标签: safety defense inference-time activation probing attack detection 或 搜索:

关闭激活锥形盲区:响应时间探测与统一防御 / Closing the Activation-Cone Blind Spot: Response-Time Probing and Unified Defense


1️⃣ 一句话总结

这篇论文发现现有的提示时激活防御方法对预填充攻击存在结构性盲区,并提出了一种在模型生成首个token时通过线性探针检测恶意行为的响应时间防御策略,将其与AlphaSteer结合后,能在不误伤正常回答的情况下,对所有七种模型将预填充攻击成功率降至0。

源自 arXiv: 2606.29441