ML Security PapersBenign Fine-Tuning Breaks Safety Alignment in Audio LLMs
Published on arXiv
2604.16659
Transfer Learning Attack
OWASP ML Top 10 — ML07
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Benign fine-tuning elevates Jailbreak Success Rate from single digits to 87.12% in Audio LLMs, with vulnerability axis determined by model architecture
Proximity-based filtering framework for Audio LLM safety
Novel technique introduced
Prior work shows that fine-tuning aligned models on benign data degrades safety in text and vision modalities, and that proximity to harmful content in representation space predicts which samples cause the most damage. However, existing analyses operate within a single, undifferentiated embedding space -- leaving open whether distinct input properties drive the vulnerability differently. Audio introduces a structurally richer problem: a benign sample can neighbor harmful content not only through what is said but through how it sounds, even when its words are entirely innocuous. We present the first systematic study of benign fine-tuning safety in Audio LLMs, evaluating three state-of-the-art models with a proximity-based filtering framework that selects benign audio by embedding-space distance to harmful content. By decomposing proximity into semantic, acoustic, and mixed axes using external reference encoders alongside each model's own internal encoder, we show that benign fine-tuning elevates Jailbreak Success Rate (JSR) from single digits to as high as 87.12%. Crucially, the dominant vulnerability axis and the relative risk of audio versus text fine-tuning are both architecture-conditioned -- determined by how each model's encoder and projector transform audio into the LLM's input space. We propose two defenses: filtering training data to maximize distance from harmful embeddings, and a textual system prompt at inference, both reducing JSR to near-zero without architectural modification. Our mechanistic analysis on two architectures reveals that fine-tuning selectively suppresses the late-layer refusal circuit while the frozen encoder preserves representations, and that even the suppression pattern is architecture-conditioned, mirroring the behavioral asymmetries across modalities. Safety degradation from benign fine-tuning is a qualitatively distinct risk in Audio LLMs.
Key Contributions
- First systematic study showing benign fine-tuning degrades safety in Audio LLMs with JSR reaching 87.12%
- Decomposition framework showing vulnerability is architecture-conditioned across semantic, acoustic, and mixed proximity axes
- Two defenses (embedding-based filtering and inference-time prompts) reducing JSR to near-zero without architectural changes
🛡️ Threat Analysis
The paper studies how benign fine-tuning (a transfer learning process) degrades safety alignment in pre-trained Audio LLMs, showing that the vulnerability is architecture-conditioned and exploits the fine-tuning phase to suppress refusal circuits. This is a transfer learning attack where safety degradation survives/exploits the fine-tuning process.