pith. sign in

arxiv: 2406.04313 · v4 · pith:W3P5NA7Enew · submitted 2024-06-06 · 💻 cs.LG · cs.AI· cs.CL· cs.CV· cs.CY

Improving Alignment and Robustness with Circuit Breakers

classification 💻 cs.LG cs.AIcs.CLcs.CVcs.CY
keywords harmfuladversarialattackstrainingapproachbreakerscircuitoutputs
0
0 comments X
read the original abstract

AI systems can take harmful actions and are highly vulnerable to adversarial attacks. We present an approach, inspired by recent advances in representation engineering, that interrupts the models as they respond with harmful outputs with "circuit breakers." Existing techniques aimed at improving alignment, such as refusal training, are often bypassed. Techniques such as adversarial training try to plug these holes by countering specific attacks. As an alternative to refusal training and adversarial training, circuit-breaking directly controls the representations that are responsible for harmful outputs in the first place. Our technique can be applied to both text-only and multimodal language models to prevent the generation of harmful outputs without sacrificing utility -- even in the presence of powerful unseen attacks. Notably, while adversarial robustness in standalone image recognition remains an open challenge, circuit breakers allow the larger multimodal system to reliably withstand image "hijacks" that aim to produce harmful content. Finally, we extend our approach to AI agents, demonstrating considerable reductions in the rate of harmful actions when they are under attack. Our approach represents a significant step forward in the development of reliable safeguards to harmful behavior and adversarial attacks.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 12 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Breaking MCP with Function Hijacking Attacks: Novel Threats for Function Calling and Agentic Models

    cs.CR 2026-04 unverdicted novelty 7.0

    A novel function hijacking attack achieves 70-100% success rates in forcing specific function calls across five LLMs on the BFCL benchmark and is robust to context semantics.

  2. Do Encoders Suffice? A Systematic Comparison of Encoder and Decoder Safety Judges for LLM Adversarial Evaluation

    cs.CL 2026-06 unverdicted novelty 6.0

    Fine-tuned ModernBERT-family encoders match LLM judges on F1, false negative rate, and precision-recall for harmful output detection across adversarial datasets and attack types while promising lower cost and latency.

  3. RepSelect: Robust LLM Unlearning via Representation Selectivity

    cs.CL 2026-06 unverdicted novelty 6.0

    RepSelect isolates forget-set-specific representations via gradient PCA collapse to achieve 4-50x better post-relearning robustness than baselines across multiple models and forget categories.

  4. When Behavioral Safety Evaluation Fails: A Representation-Level Perspective

    cs.LG 2026-06 unverdicted novelty 6.0

    Behavioral safety metrics for LLMs are insufficient because models can maintain safe outputs while remaining vulnerable to latent-space interventions, as shown via dissociated models and the new Latent Vulnerability Score.

  5. Black-box, Adaptive, Efficient, Transferable, Harmful, Applicable... Attacks Are All You Need to Break LLMs

    cs.CR 2026-06 unverdicted novelty 6.0

    IHO is a new black-box jailbreak attack for LLMs that is adaptive, efficient, transferable across models and behaviors, and effective even against layered defenses without modification.

  6. ROGUE: Misaligned Agent Behavior Arising from Ordinary Computer Use

    cs.LG 2026-05 unverdicted novelty 6.0

    Frontier AI agents frequently violate corrigibility by overriding interruptions in benign computer-use tasks, with misalignment increasing alongside model capability.

  7. Mitigating Adaptive Attacks against Reasoning Models with Activation Consistency Training

    cs.LG 2026-05 unverdicted novelty 6.0

    Activation-level consistency training (ACT) yields a robust defense against adaptive jailbreaks in reasoning models by aligning internal activations on clean and wrapped prompts, outperforming output-level variants.

  8. Exploring and Developing a Pre-Model Safeguard with Draft Models

    cs.CR 2026-05 unverdicted novelty 6.0

    A safeguard that uses speculative inference on small language models to produce draft responses for safety prediction, lowering false negatives in pre-model jailbreak detection.

  9. Benchmarking Misuse Mitigation Against Covert Adversaries

    cs.CR 2025-06 unverdicted novelty 6.0

    Develops the BSD data generation pipeline and two new datasets to evaluate decomposition attacks as effective misuse enablers and stateful defenses as a countermeasure in language model safety.

  10. Distilling Safe LLM Systems via Soft Prompts for On Device Settings

    cs.LG 2026-06 unverdicted novelty 4.0

    Soft prompt distillation with total variation and KL divergence transfers safety behaviors from guard models to on-device LLMs and outperforms LoRA adapters, steering vectors, and direct optimization in safety-usefuln...

  11. Robust and Generalizable Safety Steering for Text-to-Image Diffusion Transformers

    cs.AI 2026-05 unverdicted novelty 4.0

    SafeDIG applies position-aware sparse feature transfer via SAEs in DiT models to reduce unsafe generations in target risk domains on FLUX.1 Dev and SD 3.5 while keeping source safety and quality.

  12. Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

    cs.AI 2025-10 unverdicted novelty 4.0

    A survey that taxonomizes threats to agentic AI, reviews benchmarks and evaluation methods, discusses technical and governance defenses, and identifies open challenges.