ResearchTrend.AI
104
4
v1v2 (latest)

Short-length Adversarial Training Helps LLMs Defend Long-length Jailbreak Attacks: Theoretical and Empirical Evidence

Shaopeng Fu
Liang Ding
Di Wang
Di Wang
Author Contacts:
shaopeng.fu@kaust.edu.saliangding.liam@gmail.comjingfeng.zhang@auckland.ac.nzdi.wang@kaust.edu.sa
ArXiv (abs)PDFHTML
Main:9 Pages
5 Figures
Bibliography:4 Pages
2 Tables
Appendix:17 Pages
Abstract

Jailbreak attacks against large language models (LLMs) aim to induce harmful behaviors in LLMs through carefully crafted adversarial prompts. To mitigate attacks, one way is to perform adversarial training (AT)-based alignment, i.e., training LLMs on some of the most adversarial prompts to help them learn how to behave safely under attacks. During AT, the length of adversarial prompts plays a critical role in the robustness of aligned LLMs. While long-length adversarial prompts during AT might lead to strong LLM robustness, their synthesis however is very resource-consuming, which may limit the application of LLM AT. This paper focuses on adversarial suffix jailbreak attacks and unveils that to defend against a jailbreak attack with an adversarial suffix of length Θ(M)\Theta(M), it is enough to align LLMs on prompts with adversarial suffixes of length Θ(M)\Theta(\sqrt{M}). Theoretically, we analyze the adversarial in-context learning of linear transformers on linear regression tasks and prove a robust generalization bound for trained transformers. The bound depends on the term Θ(Mtest/Mtrain)\Theta(\sqrt{M_{\text{test}}}/M_{\text{train}}), where MtrainM_{\text{train}} and MtestM_{\text{test}} are the numbers of adversarially perturbed in-context samples during training and testing. Empirically, we conduct AT on popular open-source LLMs and evaluate their robustness against jailbreak attacks of different adversarial suffix lengths. Results confirm a positive correlation between the attack success rate and the ratio of the square root of the adversarial suffix length during jailbreaking to the length during AT. Our findings show that it is practical to defend against ``long-length'' jailbreak attacks via efficient ``short-length'' AT. The code is available atthis https URL.

View on arXiv
@article{fu2025_2502.04204,
  title={ Short-length Adversarial Training Helps LLMs Defend Long-length Jailbreak Attacks: Theoretical and Empirical Evidence },
  author={ Shaopeng Fu and Liang Ding and Jingfeng Zhang and Di Wang },
  journal={arXiv preprint arXiv:2502.04204},
  year={ 2025 }
}
Comments on this paper