通过微调实现安全目标导向的嵌入攻击 / Safety Targeted Embedding Exploit via Refinement
1️⃣ 一句话总结
该研究提出了一种名为STEER的攻击方法,通过将模型拒绝回答安全问题的关键词语逐步翻译成低资源语言,成功绕过了大语言模型的安全防护,揭示出当前安全训练主要依赖英语、对多语言输入存在严重漏洞的问题。
Safety training for large language models (LLMs) is conducted predominantly in English, leaving uncertain how well safety mechanisms generalize to low-resource languages and mixed-language code-switching. We show that this creates an epistemic gap in which models confidently generate harmful responses for inputs that fall outside the distribution of their safety training. To study this phenomenon, we introduce STEER (Safety Targeted Embedding Exploit via Refinement), a gradient-guided attack that identifies words contributing most strongly to the model's refusal behavior and iteratively translates them into low-resource languages to suppress refusal while preserving harmful intent. Across six open-source 8B-parameter models, STEER achieves attack success rates of up to 93.0% on JailbreakBench and 96.7% on AdvBench, outperforming random code-switching and Greedy Coordinate Gradient (GCG). The resulting prompts also transfer to GPT-4o-mini, achieving a 35.5% attack success rate without requiring access to the target model, suggesting that the underlying weakness is not specific to a single architecture. These findings demonstrate that safety mechanisms aligned primarily on English cannot be assumed to generalize across multilingual inputs. We argue that improving multilingual safety requires broader coverage during alignment and mechanisms that explicitly detect and abstain on out-of-distribution inputs.
通过微调实现安全目标导向的嵌入攻击 / Safety Targeted Embedding Exploit via Refinement
该研究提出了一种名为STEER的攻击方法,通过将模型拒绝回答安全问题的关键词语逐步翻译成低资源语言,成功绕过了大语言模型的安全防护,揭示出当前安全训练主要依赖英语、对多语言输入存在严重漏洞的问题。
源自 arXiv: 2607.01859