LLMs Can Unlearn Refusal with Only 1,000 Benign Samples

This study reveals a previously unexplored vulnerability in the safety alignment of Large Language Models (LLMs). Existing aligned LLMs predominantly respond to unsafe queries with refusals, which often begin with a fixed set of prefixes (I'm sorry). We demonstrate that this rigid refusal pattern is a vulnerability and introduce a novel \textbf{refusal unlearning} technique that exploits it. Specifically, we fine-tune LLMs using merely 1,000 benign samples, where each response is prepended with a refusal prefix. The underlying intuition is to disrupt the refusal completion pathway, thereby driving the model to forget how to refuse while following harmful instructions. This intuition is further supported by theoretical proofs. We apply this approach to a total of 16 LLMs, including various open-source models from Llama, Qwen, and Gemma families, as well as closed-source models such as Gemini and GPT. Experimental results show that the safety scores of previously aligned LLMs degrade both consistently and substantially. Importantly, we verify that the observed gain cannot be attributed to plain fine-tuning or random prefix effects. Our findings suggest that current safety alignment may rely heavily on token sequence memorization rather than reasoning, motivating future work beyond simple refusal mechanisms. Code has been released: https://github.com/guoyang9/refusal-unlearning.

Key Contributions

• Identifies rigid refusal prefix patterns (e.g., 'I'm sorry') as a structural vulnerability in LLM safety alignment
• Proposes 'refusal unlearning': fine-tuning on only 1,000 benign samples prepended with refusal prefixes to disrupt the refusal completion pathway
• Demonstrates consistent and substantial safety degradation across 16 LLMs (Llama, Qwen, Gemma, Gemini, GPT) with theoretical justification

🛡️ Threat Analysis

Details

Similar Papers