ML Security PapersJailbreaking Leaves a Trace: Understanding and Detecting Jailbreak Attacks from Internal Representations of Large Language Models
Sri Durga Sai Sowmya Kadali , Evangelos E. Papalexakis
Published on arXiv
2602.11495
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Inference-time layer-susceptibility intervention blocks 78% of jailbreak attempts while preserving benign behavior on 94% of safe prompts, with minimal computational overhead.
Tensor-Based Latent Representation Jailbreak Detector
Novel technique introduced
Jailbreaking large language models (LLMs) has emerged as a critical security challenge with the widespread deployment of conversational AI systems. Adversarial users exploit these models through carefully crafted prompts to elicit restricted or unsafe outputs, a phenomenon commonly referred to as Jailbreaking. Despite numerous proposed defense mechanisms, attackers continue to develop adaptive prompting strategies, and existing models remain vulnerable. This motivates approaches that examine the internal behavior of LLMs rather than relying solely on prompt-level defenses. In this work, we study jailbreaking from both security and interpretability perspectives by analyzing how internal representations differ between jailbreak and benign prompts. We conduct a systematic layer-wise analysis across multiple open-source models, including GPT-J, LLaMA, Mistral, and the state-space model Mamba, and identify consistent latent-space patterns associated with harmful inputs. We then propose a tensor-based latent representation framework that captures structure in hidden activations and enables lightweight jailbreak detection without model fine-tuning or auxiliary LLM-based detectors. We further demonstrate that the latent signals can be used to actively disrupt jailbreak execution at inference time. On an abliterated LLaMA-3.1-8B model, selectively bypassing high-susceptibility layers blocks 78% of jailbreak attempts while preserving benign behavior on 94% of benign prompts. This intervention operates entirely at inference time and introduces minimal overhead, providing a scalable foundation for achieving stronger coverage by incorporating additional attack distributions or more refined susceptibility thresholds. Our results provide evidence that jailbreak behavior is rooted in identifiable internal structures and suggest a complementary, architecture-agnostic direction for improving LLM security.
Key Contributions
- Systematic layer-wise analysis of hidden activations across GPT-J, LLaMA, Mistral, and Mamba2 revealing consistent latent-space patterns that distinguish jailbreak from benign prompts.
- Tensor-based latent representation framework for lightweight jailbreak detection requiring no model fine-tuning or auxiliary LLM detectors.
- Inference-time layer-bypassing intervention on abliterated LLaMA-3.1-8B that blocks 78% of jailbreak attempts while preserving 94% of benign responses.