attack 2026

Selective Steering: Norm-Preserving Control Through Discriminative Layer Selection

Quy-Anh Dang 1,2, Chris Ngo 1,2

1 VNU University of Science

2 Knovel Engineering Lab

0 citations · 39 references · arXiv
α

Published on arXiv

2601.19375

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Selective Steering achieves 5.5x higher attack success rates than prior activation steering methods across nine models while maintaining zero perplexity violations and approximately 100% capability retention on standard benchmarks.

Selective Steering

Novel technique introduced

Despite significant progress in alignment, large language models (LLMs) remain vulnerable to adversarial attacks that elicit harmful behaviors. Activation steering techniques offer a promising inference-time intervention approach, but existing methods suffer from critical limitations: activation addition requires careful coefficient tuning and is sensitive to layer-specific norm variations, while directional ablation provides only binary control. Recent work on Angular Steering introduces continuous control via rotation in a 2D subspace, but its practical implementation violates norm preservation, causing distribution shift and generation collapse, particularly in models below 7B parameters. We propose Selective Steering, which addresses these limitations through two key innovations: (1) a mathematically rigorous norm-preserving rotation formulation that maintains activation distribution integrity, and (2) discriminative layer selection that applies steering only where feature representations exhibit opposite-signed class alignment. Experiments across nine models demonstrate that Selective Steering achieves 5.5x higher attack success rates than prior methods while maintaining zero perplexity violations and approximately 100\% capability retention on standard benchmarks. Our approach provides a principled, efficient framework for controllable and stable LLM behavior modification. Code: https://github.com/knoveleng/steering

Key Contributions

  • Mathematically rigorous norm-preserving rotation formulation for activation steering that avoids distribution shift and generation collapse seen in prior Angular Steering methods
  • Discriminative layer selection strategy that applies steering only to layers where feature representations exhibit opposite-signed class alignment, improving efficiency and effectiveness
  • 5.5x improvement in attack success rate over prior activation steering methods across nine LLMs while maintaining zero perplexity violations and ~100% capability retention

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
white_boxinference_timetargeted
Datasets
AdvBench
Applications
llm safety alignment bypassred-teamingjailbreaking
Read PDF arXiv DOI Code

Similar Papers

attack

Causal Front-Door Adjustment for Robust Jailbreak Attacks on LLMs

2026 0 cit.
100%
attack

MEUV: Achieving Fine-Grained Capability Activation in Large Language Models via Mutually Exclusive Unlock Vectors

2025 0 cit.
100%
attack

Attributing and Exploiting Safety Vectors through Global Optimization in Large Language Models

2026 0 cit.
100%
attack

LatentBreak: Jailbreaking Large Language Models through Latent Space Feedback

2025 1 cit.
100%
attack

Sparse Models, Sparse Safety: Unsafe Routes in Mixture-of-Experts LLMs

2026 0 cit.
100%
attack

The Rogue Scalpel: Activation Steering Compromises LLM Safety

2025 4 cit.
100%
attack

RepIt: Steering Language Models with Concept-Specific Refusal Vectors

2025 0 cit.
100%
attack

Knowing without Acting: The Disentangled Geometry of Safety Mechanisms in Large Language Models

2026 0 cit.
100%