中間層的所知:從熵動力學檢測越獄攻擊
What Intermediate Layers Know: Detecting Jailbreaks from Entropy Dynamics
June 23, 2026
作者: Sofiia Nikolenko, Michele Papucci, Mina Rezaei, Shireen Kudukkil Manchingal
cs.AI
摘要
越獄攻擊揭示了對齊大型語言模型中的一個持續弱點:經過精心設計的提示詞即便經過安全訓練,仍能誘發違反政策的回應。雖然多數防禦機制作用於提示詞或輸出層面,但目前仍不清楚有害意圖是如何在模型內部表徵中被編碼。我們透過使用logit鏡像分析凍結LLM各層中的詞元層級預測熵軌跡來探究此問題。我們發現,提示詞層級熵的靜態匯總統計量(如均值、變異數)攜帶的判別訊號極少,而能夠捕捉熵在詞元位置上演化方式的特徵——例如基於單調排名的趨勢分數——則具有顯著更高的資訊量。重要的是,此訊號並非均勻分佈於模型深層:它集中於中間層,並在最終層衰減,這表明與越獄相關的結構在網絡中段表徵中最為顯著,而非在輸出頭端。在多個模型(Llama、Qwen、Gemma)與對抗性基準測試中,這些熵動態無需額外訓練便能提供架構一致的分離。綜合而言,我們的研究顯示越獄行為反映於結構化的中間不確定性動態中,釐清了哪些源自熵的特徵編碼了有害意圖,以及該訊號在網絡中的哪個位置最為顯著。
English
Jailbreak attacks reveal a persistent weakness in aligned Large Language Models: carefully crafted prompts can elicit policy-violating responses despite safety training. While most defenses operate at the prompt or output level, it remains unclear how harmful intent is encoded within the model's internal representations. We investigate this question by analyzing token-level predictive entropy trajectories across layers of a frozen LLM using the logit lens. We find that static aggregate statistics of prompt-level entropy (e.g., mean, variance) carry little discriminative signal, whereas features capturing how entropy evolves across token positions, such as monotonic rank-based trend scores, are substantially more informative. Importantly, this signal is not uniform across model depth: it is concentrated in intermediate layers and degrades at the final layer, indicating that jailbreak-relevant structure is most pronounced in mid-network representations rather than at the output head. Across multiple models (Llama, Qwen, Gemma) and adversarial benchmarks, these entropy dynamics provide architecture-consistent separation without additional training. Together, our findings show that jailbreak behavior is reflected in structured intermediate uncertainty dynamics, clarifying both which entropy-derived features encode harmful intent and where in the network that signal is most pronounced.