LLM Jailbreak Detection for (Almost) Free!

Large language models (LLMs) enhance security through alignment when widely used, but remain susceptible to jailbreak attacks capable of producing inappropriate content. Jailbreak detection methods show promise in mitigating jailbreak attacks through the assistance of other models or multiple model inferences. However, existing methods entail significant computational costs. In this paper, we first present a finding that the difference in output distributions between jailbreak and benign prompts can be employed for detecting jailbreak prompts. Based on this finding, we propose a Free Jailbreak Detection (FJD) which prepends an affirmative instruction to the input and scales the logits by temperature to further distinguish between jailbreak and benign prompts through the confidence of the first token. Furthermore, we enhance the detection performance of FJD through the integration of virtual instruction learning. Extensive experiments on aligned LLMs show that our FJD can effectively detect jailbreak prompts with almost no additional computational costs during LLM inference.

Key Contributions

• Empirical finding that jailbreak prompts produce lower first-token confidence than benign prompts, enabling a lightweight detection signal.
• FJD method combining Affirmative Instruction Prepending and Temperature Scaling to amplify confidence gaps at virtually zero additional inference cost.
• FJD-LI extension that learns virtual instructions to further improve detection performance across diverse jailbreak types.

🛡️ Threat Analysis

Details

Similar Papers