Saved in:
| Main Authors: | , , , , , , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2504.09712 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866915315132137472 |
|---|---|
| author | Broomfield, Julius Gibbs, Tom Kosak-Hine, Ethan Ingebretsen, George Nasir, Tia Zhang, Jason Iranmanesh, Reihaneh Pieri, Sara Rabbany, Reihaneh Pelrine, Kellin |
| author_facet | Broomfield, Julius Gibbs, Tom Kosak-Hine, Ethan Ingebretsen, George Nasir, Tia Zhang, Jason Iranmanesh, Reihaneh Pieri, Sara Rabbany, Reihaneh Pelrine, Kellin |
| contents | LLM jailbreaks are a widespread safety challenge. Given this problem has not yet been tractable, we suggest targeting a key failure mechanism: the failure of safety to generalize across semantically equivalent inputs. We further focus the target by requiring desirable tractability properties of attacks to study: explainability, transferability between models, and transferability between goals. We perform red-teaming within this framework by uncovering new vulnerabilities to multi-turn, multi-image, and translation-based attacks. These attacks are semantically equivalent by our design to their single-turn, single-image, or untranslated counterparts, enabling systematic comparisons; we show that the different structures yield different safety outcomes. We then demonstrate the potential for this framework to enable new defenses by proposing a Structure Rewriting Guardrail, which converts an input to a structure more conducive to safety assessment. This guardrail significantly improves refusal of harmful inputs, without over-refusing benign ones. Thus, by framing this intermediate challenge - more tractable than universal defenses but essential for long-term safety - we highlight a critical milestone for AI safety research. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2504_09712 |
| institution | arXiv |
| publishDate | 2025 |
| record_format | arxiv |
| spellingShingle | The Structural Safety Generalization Problem Broomfield, Julius Gibbs, Tom Kosak-Hine, Ethan Ingebretsen, George Nasir, Tia Zhang, Jason Iranmanesh, Reihaneh Pieri, Sara Rabbany, Reihaneh Pelrine, Kellin Cryptography and Security Artificial Intelligence Computer Vision and Pattern Recognition LLM jailbreaks are a widespread safety challenge. Given this problem has not yet been tractable, we suggest targeting a key failure mechanism: the failure of safety to generalize across semantically equivalent inputs. We further focus the target by requiring desirable tractability properties of attacks to study: explainability, transferability between models, and transferability between goals. We perform red-teaming within this framework by uncovering new vulnerabilities to multi-turn, multi-image, and translation-based attacks. These attacks are semantically equivalent by our design to their single-turn, single-image, or untranslated counterparts, enabling systematic comparisons; we show that the different structures yield different safety outcomes. We then demonstrate the potential for this framework to enable new defenses by proposing a Structure Rewriting Guardrail, which converts an input to a structure more conducive to safety assessment. This guardrail significantly improves refusal of harmful inputs, without over-refusing benign ones. Thus, by framing this intermediate challenge - more tractable than universal defenses but essential for long-term safety - we highlight a critical milestone for AI safety research. |
| title | The Structural Safety Generalization Problem |
| topic | Cryptography and Security Artificial Intelligence Computer Vision and Pattern Recognition |
| url | https://arxiv.org/abs/2504.09712 |