Skip to content

Safety and Adversarial: Protecting and Attacking Models

Intuition: models can be “tricked” too

Section titled “Intuition: models can be “tricked” too”

LLM safety has two sides: models may “say the wrong thing” (hallucinations, bias, harmful content), and they may be tricked by malicious inputs into doing things they should not (jailbreaks, prompt injection). Like a gatekeeper who must both identify bad actors and resist deceptive tactics.

Engineering view: layered defense and continuous monitoring

Section titled “Engineering view: layered defense and continuous monitoring”

Engineering defenses are typically layered:

  • Input layer: Filter sensitive prompts, detect known attack patterns, restrict input length and format.
  • Model layer: Alignment training (RLHF, Constitutional AI), refusal strategies, output classifiers.
  • Output layer: Post-processing filters, watermarks, fact-checking, citation verification.
  • System layer: Sandboxed execution, least privilege, audit logs, rate limiting.

Common attacks:

  • Jailbreak: Bypass safety restrictions through roleplay, encoding tricks, or logic traps.
  • Prompt injection: Embed malicious instructions in untrusted input (web pages, emails) to hijack model behavior.
  • Data extraction: Craft prompts to extract private information from training data.

There is no perfect defense. The key is defense in depth and continuous red teaming.

Research view: safety is generalizable refusal

Section titled “Research view: safety is generalizable refusal”

At the research level, the core safety question is: can models learn “generalizable refusal”—not just rejecting attacks seen during training, but also defending against unseen variants? Current evidence suggests that adversarial attacks often transfer: jailbreaks discovered on one model frequently work on others.

Frontier directions include: automated red teaming (using models to attack models), provable defense bounds, mechanistic interpretability to locate harmful behavior circuits, and formal methods to verify output constraints in critical systems.

🔬 Open Research Questions

Key questions and research directions in this area:

  1. Is there a theoretical equilibrium point in the "cat-and-mouse game" between adversarial attacks (e.g., GCG) and model alignment?
  2. How should risk assessment frameworks for indirect prompt injection in real-world applications be constructed?
  3. How can privacy risks from training data extraction attacks be quantified? Is differential privacy training the only solution?

References