The widespread adoption of Large Language Models (LLMs), exemplified by OpenAI's ChatGPT, brings to the forefront the imperative to defend against adversarial threats on these models. These attacks, which manipulate an LLM's output by introducing malicious inputs, undermine the model's integrity and the trust users place in its outputs. In response to this challenge, our paper presents an innovative defensive strategy, given white box access to an LLM, that harnesses residual activation analysis between transformer layers of the LLM. We apply a novel methodology for analyzing distinctive activation patterns in the residual streams for attack prompt classification. We curate multiple datasets to demonstrate how this method of classification has high accuracy across multiple types of attack scenarios, including our newly-created attack dataset. Furthermore, we enhance the model's resilience by integrating safety fine-tuning techniques for LLMs in order to measure its effect on our capability to detect attacks. The results underscore the effectiveness of our approach in enhancing the detection and mitigation of adversarial inputs, advancing the security framework within which LLMs operate.

翻译：以OpenAI的ChatGPT为代表的大型语言模型（LLMs）的广泛应用，凸显了防御针对这些模型的对抗性威胁的紧迫性。此类攻击通过注入恶意输入来操纵LLM的输出，损害模型的完整性及用户对其输出结果的信任。为应对这一挑战，本文提出一种创新的防御策略：在拥有LLM白盒访问权限的前提下，利用模型Transformer层间的残差激活分析技术。我们采用一种新颖的方法来分析残差流中的特征激活模式，以实现攻击提示的分类。我们构建了多个数据集，证明该分类方法在多种攻击场景（包括我们新创建的攻击数据集）中均具有高准确率。此外，我们通过集成LLM安全微调技术来增强模型的鲁棒性，并评估其对攻击检测能力的影响。实验结果证实了本方法在提升对抗性输入检测与缓解方面的有效性，推动了LLM运行安全框架的进一步发展。