Latent-space Attacks for Refusal Evasion in Language Models

Giorgio Piras, Raffaele Mura, Fabio Brau, Maura Pintor, Luca Oneto, Fabio Roli, Battista Biggio

arXiv:2605.21706 · 2026-05-23 공개 · arXiv · PDF

multimodal-models model-alignment instruction-tuned-models linear-probes latent-space-attacks representation-projection jailbreak-attacks decision-boundary

Abstract

Safety-aligned language models are trained to refuse harmful requests, yet refusal behavior can be suppressed by steering their internal representations. Existing methods do so by ablating a refusal direction from model activations, aiming to remove refusal from the model's residual stream. Despite their empirical success, these methods lack a principled account of the latent-space transformation they induce and why it suppresses refusal. In this work, we recast refusal suppression as a latent-space evasion attack against linear probes trained to separate refused from answered prompts. Under this view, prior work's difference-in-means direction naturally defines such a probe, and its ablation is exactly a projection onto its decision boundary, i.e., a minimum-confidence evasion attack. This perspective not only explains the empirical success of prior work but also admits a key limitation: evasion stops at the decision boundary, motivating the need to push representations further into the compliant region, i.e., where the model answers. We leverage this by proposing a Controlled Latent-space Evasion attack that projects representations past the boundary with an optimized confidence. We achieve state-of-the-art attack success rate across 15 instruction-tuned, multimodal, and reasoning models, outperforming existing refusal-ablation baselines and specialized jailbreak attacks.

한국어 요약

📋 한 줄 요약

**[Jailbreak / Latent Evasion]** Refusal suppression을 latent-space evasion attack으로 재해석 — 기존 refusal direction ablation이 minimum-confidence 결정 경계 projection임을 보이고, 경계를 넘어 compliant region으로 밀어주는 Controlled Latent-space Evasion으로 15 instruction-tuned·multimodal·reasoning 모델에서 SOTA 공격 성공률.

🎯 핵심 기여도

💡 핵심 아이디어

LLM refusal 억제는 단순한 vector subtraction이 아니라 linear probe에 대한 latent-space evasion attack의 한 형태이며, decision boundary projection을 넘어 compliant region 내부로 confidence를 optimize해 밀어주면 더 강력한 jailbreak 가능 — 이 framework가 기존 방법을 통일·일반화한다.

🔬 기술적 접근법

📊 주요 결과

💭 의의 및 한계

**의의**: Jailbreak 연구에 원리적 latent-space framework 도입, 기존 방법의 통일된 재해석, multimodal·reasoning 모델로 확장. **한계**: White-box·activation 접근 요구로 black-box 위협과 다름, refusal direction이 linear로 표현된다는 가정의 nonlinear 한계, defense 측 대응이 evasion 변형에 따라 달라짐.

🚀 실용적 활용