defense 2026

Latent Instruction Representation Alignment: defending against jailbreaks, backdoors and undesired knowledge in LLMs

Eric Easley 1, Sebastian Farquhar 2

1 University of California, Berkeley

2 University of Oxford

0 citations
α

Published on arXiv

2604.10403

Model Poisoning

OWASP ML Top 10 — ML10

Prompt Injection

OWASP LLM Top 10 — LLM01

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

Blocks over 99% of PEZ jailbreak attacks, removes insecure code backdoors, achieves optimal forgetting on WMDP cyber with negligible benign capability loss

LIRA

Novel technique introduced

We address jailbreaks, backdoors, and unlearning for large language models (LLMs). Unlike prior work, which trains LLMs based on their actions when given malign instructions, our method specifically trains the model to change how it interprets instructions. Our method, Latent Instruction Representation Alignment (LIRA), greatly improves generalization. We further boost generalization through an internally adversarial training algorithm. Our methods block over 99% of PEZ jailbreak attacks; remove a challenging insecure code backdoor; and achieve optimal forgetting on WMDP cyber with negligible loss of benign capabilities.

Key Contributions

  • Latent Instruction Representation Alignment (LIRA) method that trains LLMs to reinterpret malicious instructions as benign at the representation level rather than output level
  • Sequence-Aware Gradients (SAG) technique that stops gradients from response positions to focus training on instruction representations
  • Internally adversarial training algorithm where middle layers try to hide malicious intent from later layers

🛡️ Threat Analysis

Model Poisoning

Removes challenging insecure code backdoors from LLMs, achieving backdoor removal through representation alignment.

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
white_boxinference_timetraining_time
Datasets
PEZWMDP cyberTOFU
Applications
llm safetyjailbreak defensebackdoor removalharmful knowledge unlearning
Read PDF arXiv

Similar Papers

defense

Microsaccade-Inspired Probing: Positional Encoding Perturbations Reveal LLM Misbehaviours

2025 1 cit.
Model Poisoning
82%
defense

Machine Unlearning Meets Adversarial Robustness via Constrained Interventions on LLMs

2025 2 cit.
82%
defense

IH-Challenge: A Training Dataset to Improve Instruction Hierarchy on Frontier LLMs

2026 0 cit.
76%
defense

Beyond Sharp Minima: Robust LLM Unlearning via Feedback-Guided Multi-Point Optimization

2025 1 cit.
76%
defense

Downgrade to Upgrade: Optimizer Simplification Enhances Robustness in LLM Unlearning

2025 0 cit.
76%
defense

Dual-Space Smoothness for Robust and Balanced LLM Unlearning

2025 1 cit.
72%
benchmark

SoK: a Comprehensive Causality Analysis Framework for Large Language Model Security

2025 0 cit.
Model Poisoning
72%
defense

Sanitize Your Responses: Mitigating Privacy Leakage in Large Language Models

2025 0 cit.
71%