Guardrail models are essential for ensuring the safety of Large Language Model (LLM) deployments, but processing full multi-turn conversation histories incurs significant computational cost. We propose Defensive M2S, a training paradigm that fine-tunes guardrail models on Multi-turn to Single-turn (M2S) compressed conversations rather than complete dialogue histories. We provide a formal complexity analysis showing that M2S reduces training cost from $O(n^2)$ to $O(n)$ for $n$-turn conversations. Empirically, on our training dataset (779 samples, avg. 10.6 turns), M2S requires only 169K tokens compared to 15.7M tokens for the multi-turn baseline -- a 93$\times$ reduction. We evaluate Defensive M2S across three guardrail model families (LlamaGuard, Nemotron, Qwen3Guard) and three compression templates (hyphenize, numberize, pythonize) on SafeDialBench, a comprehensive multi-turn jailbreak benchmark. Our best configuration, Qwen3Guard with hyphenize compression, achieves 93.8% attack detection recall while reducing inference tokens by 94.6% (from 3,231 to 173 tokens per conversation). This represents a 38.9 percentage point improvement over the baseline while dramatically reducing both training and inference costs. Our findings demonstrate that M2S compression can serve as an effective efficiency technique for guardrail deployment, enabling scalable safety screening of long multi-turn conversations.

翻译：护栏模型对于确保大型语言模型（LLM）部署的安全性至关重要，但处理完整的多轮对话历史会产生显著的计算成本。我们提出防御性M2S，这是一种在压缩后的多轮转单轮（M2S）对话而非完整对话历史上微调护栏模型的训练范式。我们提供了形式化的复杂度分析，表明对于n轮对话，M2S将训练成本从$O(n^2)$降低至$O(n)$。实证结果表明，在我们的训练数据集（779个样本，平均10.6轮）上，M2S仅需169K个令牌，而多轮基线需要15.7M个令牌——减少了93倍。我们在SafeDialBench（一个全面的多轮越狱基准测试）上，评估了防御性M2S在三种护栏模型系列（LlamaGuard、Nemotron、Qwen3Guard）和三种压缩模板（连字符化、数字化、Python化）上的表现。我们的最佳配置——采用连字符化压缩的Qwen3Guard——实现了93.8%的攻击检测召回率，同时将推理令牌数减少了94.6%（从每轮对话3,231个令牌降至173个令牌）。这相较于基线提升了38.9个百分点，同时大幅降低了训练和推理成本。我们的研究结果表明，M2S压缩可以作为一种有效的护栏部署效率技术，实现对长多轮对话的可扩展安全筛查。