Large language models (LLMs) are vulnerable to adversarial attacks that can elicit harmful responses. Defending against such attacks remains challenging due to the opacity of jailbreaking mechanisms and the high computational cost of training LLMs robustly. We demonstrate that adversarial attacks share a universal mechanism for circumventing LLM safeguards that works by ablating a dimension in the residual stream embedding space called the refusal feature. We further show that the operation of refusal feature ablation (RFA) approximates the worst-case perturbation of offsetting model safety. Based on these findings, we propose Refusal Feature Adversarial Training (ReFAT), a novel algorithm that efficiently performs LLM adversarial training by simulating the effect of input-level attacks via RFA. Experiment results show that ReFAT significantly improves the robustness of three popular LLMs against a wide range of adversarial attacks, with considerably less computational overhead compared to existing adversarial training methods.

本研究针对大语言模型（LLMs）对抗性攻击带来的脆弱性问题，提出了一种新的对抗训练算法——拒绝特征对抗训练（ReFAT）。通过模拟输入层次的攻击效果，该方法显著提高了多种流行LLMs在面对各种对抗性攻击时的鲁棒性，同时计算成本较现有方法大幅降低。

鲁棒性大语言模型保护的拒绝特征对抗训练