Diffusion large language models (dLLMs) enable any-order generation, but this flexibility enlarges the attack surface: harmful spans may appear at arbitrary positions, and template-based prefilling attacks such as DIJA bypass response-level refusals. We introduce A2D (Any-Order, Any-Step Defense), a token-level alignment method that aligns dLLMs to emit an [EOS] refusal signal whenever harmful content arises. By aligning safety directly at the token-level under randomized masking, A2D achieves robustness to both any-decoding-order and any-step prefilling attacks under various conditions. It also enables real-time monitoring: dLLMs may begin a response but automatically terminate if unsafe continuation emerges. On safety benchmarks, A2D consistently prevents the generation of harmful outputs, slashing DIJA success rates from over 80% to near-zero (1.3% on LLaDA-8B-Instruct, 0.0% on Dream-v0-Instruct-7B), and thresholded [EOS] probabilities allow early rejection, yielding up to 19.3x faster safe termination.
翻译:扩散大语言模型(dLLMs)支持任意顺序生成,但这种灵活性扩大了攻击面:有害内容可能出现在任意位置,且基于模板的预填充攻击(如DIJA)可绕过响应级拒绝机制。本文提出A2D(任意顺序、任意步骤防御),一种在词元级别进行对齐的方法,使dLLMs在检测到有害内容时立即发出[EOS]拒绝信号。通过在随机掩码条件下直接在词元级别进行安全对齐,A2D实现了对任意解码顺序和任意步骤预填充攻击的鲁棒性。该方法还支持实时监控:dLLMs可开始生成响应,但若后续出现不安全内容将自动终止生成。在安全基准测试中,A2D持续阻止有害输出生成,将DIJA攻击成功率从超过80%降至接近零(LLaDA-8B-Instruct模型降至1.3%,Dream-v0-Instruct-7B模型降至0.0%),且通过设定[EOS]概率阈值可实现早期拒绝,使安全终止速度提升最高达19.3倍。