As large language models (LLMs) become increasingly integrated into real-world applications such as code generation and chatbot assistance, extensive efforts have been made to align LLM behavior with human values, including safety. Jailbreak attacks, aiming to provoke unintended and unsafe behaviors from LLMs, remain a significant/leading LLM safety threat. In this paper, we aim to defend LLMs against jailbreak attacks by introducing SafeDecoding, a safety-aware decoding strategy for LLMs to generate helpful and harmless responses to user queries. Our insight in developing SafeDecoding is based on the observation that, even though probabilities of tokens representing harmful contents outweigh those representing harmless responses, safety disclaimers still appear among the top tokens after sorting tokens by probability in descending order. This allows us to mitigate jailbreak attacks by identifying safety disclaimers and amplifying their token probabilities, while simultaneously attenuating the probabilities of token sequences that are aligned with the objectives of jailbreak attacks. We perform extensive experiments on five LLMs using six state-of-the-art jailbreak attacks and four benchmark datasets. Our results show that SafeDecoding significantly reduces the attack success rate and harmfulness of jailbreak attacks without compromising the helpfulness of responses to benign user queries. SafeDecoding outperforms six defense methods.

翻译：随着大型语言模型（LLM）日益集成到代码生成和聊天助手等实际应用中，学术界已投入大量努力使LLM的行为与人类价值观（包括安全性）保持一致。旨在诱发LLM产生非预期且不安全行为的越狱攻击，仍然是LLM安全的主要威胁。本文通过引入SafeDecoding——一种安全感知解码策略，使LLM能够生成对用户查询既有帮助又无害的响应，从而防御越狱攻击。开发SafeDecoding的见解基于以下观察：即使代表有害内容的token概率高于无害响应，按概率降序排列的top层token中仍会出现安全免责声明。这使我们能够通过识别安全免责声明并放大其token概率，同时削弱与越狱攻击目标一致的token序列概率，来缓解越狱攻击。我们在五个LLM上使用六种最先进的越狱攻击和四个基准数据集进行了广泛实验。结果表明，SafeDecoding在保持对良性用户查询响应有用性的前提下，显著降低了越狱攻击的成功率和危害性。SafeDecoding的性能优于六种防御方法。