Large language models remain vulnerable to jailbreak attacks, and single-layer defenses often trade security for usability. We present TRYLOCK, the first defense-in-depth architecture that combines four heterogeneous mechanisms across the inference stack: weight-level safety alignment via DPO, activation-level control via Representation Engineering (RepE) steering, adaptive steering strength selected by a lightweight sidecar classifier, and input canonicalization to neutralize encoding-based bypasses. On Mistral-7B-Instruct evaluated against a 249-prompt attack set spanning five attack families, TRYLOCK achieves 88.0% relative ASR reduction (46.5% to 5.6%), with each layer contributing unique coverage: RepE blocks 36% of attacks that bypass DPO alone, while canonicalization catches 14% of encoding attacks that evade both. We discover a non-monotonic steering phenomenon -- intermediate strength (alpha=1.0) degrades safety below baseline -- and provide mechanistic hypotheses explaining RepE-DPO interference. The adaptive sidecar reduces over-refusal from 60% to 48% while maintaining identical attack defense, demonstrating that security and usability need not be mutually exclusive. We release all components -- trained adapters, steering vectors, sidecar classifier, preference pairs, and complete evaluation methodology -- enabling full reproducibility.

翻译：大语言模型仍易受越狱攻击，单层防御往往以牺牲可用性换取安全性。我们提出了TRYLOCK，首个在推理栈中融合四种异构机制的纵深防御架构：通过DPO实现权重级安全对齐、通过表征工程（RepE）导向实现激活级控制、由轻量级旁路分类器选择的自适应导向强度，以及用于中和基于编码的绕过攻击的输入规范化。在Mistral-7B-Instruct模型上，针对涵盖五个攻击家族的249条攻击提示集进行评估，TRYLOCK实现了88.0%的相对攻击成功率降低（从46.5%降至5.6%），各防御层贡献了独特的覆盖范围：RepE阻断了36%单独绕过DPO的攻击，而规范化捕获了14%同时规避两者的编码攻击。我们发现了一种非单调的导向现象——中等强度（alpha=1.0）会使安全性降至基线以下——并提出了解释RepE与DPO相互干扰的机制假说。自适应旁路分类器将过度拒绝率从60%降低至48%，同时保持相同的攻击防御能力，证明安全性与可用性并非互斥。我们开源了所有组件——训练好的适配器、导向向量、旁路分类器、偏好对及完整的评估方法——以确保完全的可复现性。