Smoothed Embeddings for Robust Language Models
About
Improving the safety and reliability of large language models (LLMs) is a crucial aspect of realizing trustworthy AI systems. Although alignment methods aim to suppress harmful content generation, LLMs are often still vulnerable to jailbreaking attacks that employ adversarial inputs that subvert alignment and induce harmful outputs. We propose the Randomized Embedding Smoothing and Token Aggregation (RESTA) defense, which adds random noise to the embedding vectors and performs aggregation during the generation of each output token, with the aim of better preserving semantic information. Our experiments demonstrate that our approach achieves superior robustness versus utility tradeoffs compared to the baseline defenses.
Ryo Hase, Md Rafi Ur Rashid, Ashley Lewis, Jing Liu, Toshiaki Koike-Akino, Kieran Parsons, Ye Wang• 2025
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Jailbreak Defense | Jailbreak Attacks | GCG ASR0.00e+0 | 18 | |
| Model Utility | IFEval | Accuracy57 | 18 | |
| Model Utility | Alpaca | Accuracy59.6 | 18 | |
| Text Moderation | HarmBench n = 400 | Flagged Count25 | 13 | |
| Text Moderation | WildJailbreak Adv. Harmful n = 2,000 | Flagged Count199 | 13 | |
| Text Moderation | WildJailbreak Adv. Benign n = 210 | Flagged Count2 | 13 | |
| Jailbreak Defense | Vicuna-13B Adaptive PAIR attack | ASR36 | 6 | |
| Jailbreak Defense | LLaMA2-7B Adaptive AutoDAN-T attack | ASR25 | 6 | |
| Jailbreak Defense | Qwen2.5-7B Adaptive PAIR attack | ASR24 | 6 | |
| Jailbreak Defense | Qwen2.5-7B Adaptive AutoDAN-T attack | ASR46 | 6 |
Showing 10 of 12 rows