1 Introduction↩︎

Large Language Models (LLMs) have brought transformative advances across a wide range of domains, showcasing strong capabilities in natural language understanding, generation, and reasoning [1]–[4]. As their influence continues to grow, LLMs are poised to reshape everything from scientific research to everyday applications. However, their rapid adoption also raises pressing safety and ethical concerns [5], [6].

Despite considerable progress through techniques such as reinforcement learning from human feedback (RLHF) [7], [8], LLMs can still produce biased, offensive, or even harmful content. These failures not only pose real-world risks but also erode public trust in the technology, raising doubts about its readiness for deployment in safety-critical scenarios.

Among the many emerging threats, jailbreak attacks pose a particularly serious risk. These attacks are diverse and constantly evolving, ranging from gradient-based prompt optimization methods [9] and advanced prompt engineering techniques [10] to structural exploits targeting conversation templates [11]. In response, a variety of defense strategies have been proposed, including heuristic input filtering and paraphrase-based anomaly detection [12] among others. However, many of the early approaches, such as rule-based filters and static check-ups, struggle to withstand novel jailbreak variants such as SQL Injection Jailbreak [13]. Conversely, more recent methods often introduce other drawbacks: for example, techniques like SafeDecoding, which adjust output probabilities to enforce safety, frequently prepend refusals (e.g., “I’m sorry…") even when a response is benign, thus harming user experience [14]. More critically, these methods can exhibit a”deceptive refusal" behavior: the model begins its response with a standard refusal phrase but then generates the requested harmful content. This failure mode reveals a key limitation of common evaluation metrics like Attack Success Rate (ASR), which often rely on prefix matching and may misclassify deceptive refusals as successful defenses, thus overstating the model’s safety performance [15], [16]. Other advanced defenses, though more robust against sophisticated exploits, tend to incur significant latency or degrade overall model utility [17], [18]. This persistent trade-off between safety and usability underscores the urgent need for a defense mechanism that offers robust, adaptive protection without compromising real‐world deployability. Fundamentally, these approaches treat the LLM as an unpredictable black box. They apply external patches such as input filters, output scrubbers, or altered decoding mechanisms, instead of engaging with the model’s internal reasoning process.

To address these limitations, we introduce Self-Activating Internal Defense (SAID), a training-free framework that repositions the defense process as a model-internal activation task. Inspired by recent findings that LLM behaviors are highly sensitive to prompt framing, we hypothesize that LLMs possess latent safety dispositions that can be systematically triggered through careful input design. Rather than treating defense as an external imposition (e.g., fine-tuned filters or decoders), SAID turns the model’s own generative logic into a proactive defense agent. As qualitatively illustrated in Fig. 1 with an example using the DeepInception attack, SAID successfully prevents the generation of harmful content, in stark contrast to other methods like Retokenization [12] and SafeDecoding [14] which fail to mitigate the malicious prompt. The framework operates through a three-stage pipeline that leverages the model’s own reasoning ability as an internal safeguard. First, it performs Model-Native Intent Distillation, extracting the essential user intents from potentially obfuscated or adversarial inputs. Next, it applies an empirically optimized Optimal Safety Probe Prefix to probe these distilled intents, a process we term prefix-based causal profiling, which effectively activates the model’s latent safety features. Finally, a Conservative Aggregation strategy integrates multiple probing outcomes to make a final safety judgment, refusing the request if any component is flagged as unsafe.

In summary, our contributions are threefold:

• To the best of our knowledge, we are the first to introduce Self-Activating Internal Defense (SAID), a novel training-free framework that empowers LLMs to harness their intrinsic reasoning for proactive jailbreak defense, via a streamlined three-stage pipeline of intent distillation, safety probing, and conservative aggregation.

• We pioneer Prefix-based Causal Probing, the first lightweight intervention method that systematically probes and influences a model’s safety behavior through targeted prefix manipulation, enabling robust detection of malicious intents without compromising core model functionality.

• Through experiments on five open-source LLMs against six state-of-the-art jailbreak attacks, we demonstrate that SAID achieves superior robustness. SAID outperforms existing defenses while preserving high utility on benign tasks and adding negligible computational overhead.

2 Related Work↩︎

We briefly review recent research on jailbreak attacks and defenses for Large Language Models.

Jailbreak Attacks on LLMs Jailbreak attacks seek to bypass safety mechanisms in Large Language Models to generate harmful content. These attacks can be grouped into three main categories: optimization-based, prompt manipulation, and template exploitation approaches. Optimization-based attacks, such as GCG [9], PAIR [19], and JAILMINE [20], use gradient-based optimization or iterative refinement to craft adversarial prompts that bypass safety mechanisms. Prompt manipulation attacks include AutoDAN [10], which iteratively refines prompts, and FlipAttack [21], which disguises harmful instructions with self-derived noise and often succeeds with a single query. DRA [22] encodes malicious instructions via puzzles or word-splitting, prompting LLMs to reconstruct and execute harmful content, while ArtPrompt [23] uses ASCII art to mask sensitive words and bypass detection. Template exploitation attacks, like SQL Injection Jailbreak (SIJ) [13], inject malicious content into user inputs to exploit prompt construction vulnerabilities, and ChatBug [11] targets rigid chat template formats to circumvent safety mechanisms. These diverse strategies highlight the evolving sophistication of jailbreak attacks and the ongoing challenge of defending LLMs.

Existing Defenses Defenses against jailbreak attacks have attracted significant attention and can be broadly categorized into three types. First, input processing defenses include Perplexity-Based Detection [24], which flags anomalous inputs via model uncertainty. Essence-Driven Defense Framework (EDDF) [25] leverages a database to identify malicious queries. However, these methods may struggle with false positives or database maintenance. Second, model‑internal defenses include SafeDecoding [14], which adjusts token probabilities to promote safer outputs; Intention Analysis (IA) [17], which employs a two‑stage process for safety alignment; LightDefense [26], which adapts defense strength based on input harmfulness; and Single Pass Detection (SPD) [27], which identifies jailbreak prompts in a single forward pass via logits. These approaches require model-specific access, limiting generalizability. Third, output-level defenses like Feature-aware Malicious Mitigation (FMM) [28] monitor internal representations during the decoding process and trigger refusal if malicious features are detected, effectively filtering harmful outputs in real time. Another example is Self-Guard [29], which enhances LLMs’ ability to assess and filter harmful content in their responses through a two-stage process, balancing safety but introducing computational overhead.

While existing defenses can effectively mitigate certain jailbreak attacks, their performance often degrades as attack strategies evolve rapidly. Moreover, some methods exhibit strong defensive capabilities only on specific models, losing effectiveness or significantly compromising model utility when applied to others. In contrast, our approach leverages the intrinsic capabilities of the model to robustly defend against potentially harmful inputs, offering a more adaptive and versatile solution.

3 Methodology↩︎

In this section, we first formalize the jailbreak defense problem. Next, we introduce the details of our proposed solution, the Self-Activating Internal Defense framework. Finally, we describe the architectural components and theoretical foundations of each stage within the SAID pipeline.

3.1 Defense Objectives↩︎

Large Language Models are designed to follow safety policies by refusing prompts with harmful intents. However, jailbreak attacks craft adversarial prompts that appear benign or obfuscated, exploiting weaknesses in intents detection to induce harmful outputs.

Defensive strategies typically wrap around the base model to decide whether to generate a response or block it. Designing such defenses requires balancing several often-conflicting objectives. In our study, we focus on three core criteria:

• Robustness: Resist diverse and adaptive jailbreak strategies.

• Utility Preservation: Avoid false positives and maintain performance on benign prompts.

• Time Efficiency: Introduce minimal latency for real-time interaction.

3.2 Self-Activating Internal Defense↩︎

To address the above challenges, we propose the Self-Activating Internal Defense (SAID) framework. Unlike ABD [30], which directly penalizes unsafe activations via layer-specific interventions, SAID leverages the model’s own reasoning to self-assess input intents and safety without additional training or architectural changes. It first distills the input into core intents, then probes them with optimized prefixes to stimulate latent safety awareness. SAID thus shifts defense from external enforcement to internal, systematic activation of the model’s safety boundaries.

As illustrated in Fig.2, SAID comprises three interpretable modules: intent distillation, safety probing, and conservative aggregation. The first phase deconstructs the user’s prompt into core semantic elements, using the model’s own understanding to bypass adversarial interference. The second phase probes the model’s responses to these refined components via an optimized “safety probe prefix" that strategically elicits safety-relevant behaviors. Finally, SAID consolidates the results using a risk-minimization strategy that flags an input as harmful if any component is deemed unsafe, ensuring robust protection against multi-faceted threats.

3.2.1 Model-Native Intent Distillation↩︎

The initial stage of SAID tackles the challenge of intent obfuscation. As LLMs become more robust, they can resist simple harmful inputs [31], prompting jailbreak attacks to adopt techniques like context expansion, prompt obfuscation, and format transformation [21], [23], [32], [33]. These strategies conceal adversarial intents to elicit unsafe outputs. To counter this, we prompt the model to act as its own summarizer and reasoner. Given a user input \(P_{\text{user}} \in \mathbb{R}^{T}\), we prepend a distillation meta-prompt \(\Pi_{\text{distill}} \in \mathbb{R}^{T'}\), guiding the model to extract core semantic components. This yields a distilled intent set \(\mathcal{S} = \{s_1, s_2, \dots, s_k\}\), where each \(s_i \in \mathbb{R}^{t_i}\) represents a concise intent.

This process is adaptive to input length. For longer inputs that may obfuscate the model’s focus, we employ a hierarchical distillation strategy inspired by the common “introduction-body-conclusion” structure of text. The input is segmented (e.g., into beginning, middle, and end sections), distilled individually, and then aggregated. To enhance the model’s understanding, we explicitly add a task-relevant prefix and suffix around each input segment, inspired by the fill-in-the-middle (FIM) prompting strategy [34]. Formally, we define the distilled intent set as follows: \[\mathcal{S} = \begin{cases} \text{Extract}(M(\Psi)) & \text{if } |P_{\text{user}}| \le L_{\text{max}} \\ \bigcup_{i=1}^N \text{Extract}(M(\Psi^{(i)})) & \text{if } |P_{\text{user}}| > L_{\text{max}}\text{.} \end{cases}\]

Here, \(M\) denotes the target large language model used for intent extraction, and \(\Psi\) is the complete input prompt constructed from the user text \(P_{\text{user}}\), a system prompt for task framing, and contextual instructions for intent extraction. For inputs longer than a threshold \(L_{\text{max}}\), the prompt is segmented in proportion to the importance of its content, with \(\text{Extract}(M(\Psi^{(i)}))\) denoting the intents distilled from the \(i\)-th segment. The final set \(\mathcal{S}\) is the union of intents from all segments.

3.2.2 Safety Activation via Optimal Prefix Probing↩︎

This stage serves as a pivotal link in the SAID framework, enabling the model to surface its internal safety alignment through a controlled intervention. We posit that a prefix can act as an instrumental variable to shift the model’s latent state from “utility-focused” to “safety-aligned” without altering the core intents. For each core intent \(s_i \in \mathbb{R}^{t_i}\), we prepend an optimal safety prefix \(\pi^* \in \mathbb{R}^{|\pi^*|}\) to construct a probed input \(p_{\text{probe}, i} \in \mathbb{R}^{t_i + |\pi^*|}\): \[p_{\text{probe}, i} = \pi^* \oplus s_i\text{.}\]

The optimal \(\pi^*\) is identified through a structured empirical search. We first define conceptual prefix categories (e.g., Intention-guided, Role-based), seed them with handcrafted examples, and use few-shot prompting to generate a candidate pool \(\Pi\). Each candidate is evaluated on a held-out dataset to select \(\pi^*\) that maximizes safety compliance while preserving utility on benign prompts. With \(\pi^*\) identified, each probe is then fed back into the target LLM, \(M\), to elicit a response, \(y_i = M(p_{\text{probe}, i})\). The safety of the original intent \(s_i\) is judged based on the model’s reaction to its probed version. To assess prefix impacts, we analyzed KL divergence relative to the original distribution, revealing that specific prefixes significantly influence the model’s output safety performance. As shown in Fig. 3, prefixes with KL below 0.6 exhibit stable safety compliance, while those with KL above 0.6 show variable compliance, with some enhancing safety boundaries and others potentially degrading them.

We measure the effect of this intervention using the Safety Compliance Probability, \(S(x) \in [0, 1]\), which is the total probability mass the model assigns to the set of all safe refusal sequences, denoted as \(\mathcal{Y}_{\text{safe}} \subset \mathcal{Y}\), as follows: \[S(x) = \sum_{y \in \mathcal{Y}_{\text{safe}}} P(y|x)\text{.}\]

Our central hypothesis is that a well-chosen prefix \(\pi\) can significantly increase this probability for a harmful prompt \(p_{\text{harm}}\), such that \(S(\pi \oplus p_{\text{harm}}) \gg S(p_{\text{harm}})\). The goal of our probing is to identify a class of prefixes \(\Pi^*\) that robustly achieve this effect without degrading the model’s utility \(U\) on benign prompts \(p_{\text{benign}}\). This can be framed as a constrained optimization problem: \[\begin{align} \Pi^* = \arg\max_{\pi \in \Pi} & \mathbb{E}_{p_{\text{harm}} \sim \mathcal{D}_{\text{harm}}}[S(\pi \oplus p_{\text{harm}})] \\ & \text{s.t.} \quad \mathbb{E}_{p_{\text{benign}} \sim \mathcal{D}_{\text{benign}}}[U(\pi \oplus p_{\text{benign}})] \ge \tau\end{align}\]

Here, \(\Pi\) is the space of candidate prefixes, each \(\pi \in \mathbb{R}^{l_\pi}\), \(\mathcal{D}_{\text{harm}}\) and \(\mathcal{D}_{\text{benign}}\) are distributions over prompts (\(p_{\text{harm}}, p_{\text{benign}} \in \mathbb{R}^{T}\)), and \(\tau \in \mathbb{R}\) is a scalar utility threshold.

3.2.3 Conservative Aggregation and Final Decision↩︎

The final stage of SAID uses a conservative aggregation strategy based on risk minimization. Since false negatives, where harmful prompts pass undetected, are costly, SAID refuses an input if any probe triggers a refusal-style response. This is formalized as: \[D = \bigvee_{i=1}^{k} \text{IsRefusal}(M(\pi^* \oplus s_i))\text{.}\]

Here, \(k\) is the number of distilled intents, \(s_i\) is the \(i\)-th intent, \(\pi^*\) is the optimal prefix, and \(M\) is the target model. The \(\text{IsRefusal}(\cdot)\) function is a binary classifier that determines whether the model’s output matches an entry in a pre-compiled, model-specific corpus of refusal patterns. This corpus is constructed through a refusal-oriented search that extends Dic-Judge Keywords [14], where we initialize a candidate pool with its Refusal String Keywords and iteratively enrich it via cross-model querying, in which one model generates prompts designed to maximize another model’s refusal responses under varying refusal strengths. This “act-on-any” aggregation ensures that the entire input is rejected as soon as any single distilled intent triggers a refusal, providing robust protection against complex jailbreaks with multiple concealed intents. The overall procedure is summarized in Algorithm 6 in the Appendix.

4 Experiments↩︎

4.1 Experimental Setup↩︎

4.1.1 Models↩︎

To evaluate our method, we utilized five diverse open-source LLMs: Vicuna-7B-v1.5 [35], Llama2-7B-chat [36], Guanaco-13B [37], Vicuna-13B-v1.5 and Llama-3-8B-Instruct [38]. This selection allows for robust validation across diverse model variants, including different parameter scales and alignment approaches.

4.1.2 Jailbreak and Defense Baselines↩︎

We consider six representative jailbreak methods categorized by core mechanisms. Optimization-based approaches include GCG [9], using gradient-guided prompt shaping; AutoDAN [10], employing genetic algorithms; and PAIR [19], an interaction-driven method leveraging an attacker LLM. Prompt manipulation methods include DeepInception [33], embedding malicious intents via nested scenarios, and SAP30 [39], refining prompts through token edits. For template exploitation, we consider SIJ [13], which mimics SQL injection-style parsing flaws.

Defense baselines span input and output levels. Input-level defenses include Paraphrase and Retokenization [12], which restructure prompts to disrupt adversarial patterns, and ICD [40], which modifies inputs for alignment. Output-level methods include PPL [24] and Self-Examination [41], which validate model responses, and Intention Analysis (IA) [17], which checks safety consistency. SafeDecoding [14] further enhances robustness by adjusting output probabilities via a fine-tuned module. Further details are provided in Appendix 6.

4.1.3 Datasets and Evaluation Metrics↩︎

To evaluate our prefix-based defense, we construct a comprehensive suite centered on Prefix-Probe-600, a benchmark of 600 prompts evenly split into harmful (from AdvBench [9]) and benign instructions (generated via GPT from daily language seeds), which enables precise assessment of safety and utility. We report two key metrics: Defense Success (DS) for correctly rejecting harmful prompts, and Normal Task Success (NTS) for preserving benign completions (definitions in Appendix 7). Judgments are made by a GPT-based evaluator using rubric-guided chain-of-thought prompts.

To capture nuanced safety levels, we also use the Harmful Score [42], estimated by GPT-Judge with a calibrated evaluation template. General capabilities are assessed using Just-Eval [43],000 a benchmark of 800 prompts across five axes: Helpfulness, Clarity, Factuality, Depth, and Engagement, judged by GPT-4.1-Mini.

To evaluate the efficiency of SAID and baseline defenses, we utilize the Average Token Generation Time Ratio (ATGR) [14], which is formally defined as: \[\text{ATGR} = \frac{\text{Avg. token gen. time w/ defense}}{\text{Avg. token gen. time w/o defense}},\] This metric is particularly suitable for comparing defenses that may produce varying output token lengths, as it normalizes the latency by benchmarking each defense’s average token generation time against the undefended model. Further analysis are provided in Appendix 7.3.

4.1.4 Implementation Details↩︎

To ensure robust evaluation, we adopted greedy decoding for all generations. We curated 16 diverse prefixes across various categories and selected the optimal one per model via testing on Prefix-Probe-600. We set the maximum input length \(L_{\text{max}}\) to 500 tokens to facilitate hierarchical distillation for longer inputs. Detailed configurations are available in the Appendix 8.

4.2 Experiment Results↩︎

4.2.1 Safety Performance Comparison↩︎

SAID’s robustness was evaluated against a wide range of jailbreak attacks. Table 1 shows that SAID consistently achieves superior defense performance across Vicuna-7B, Llama2-7B, and Guanaco, outperforming all baseline methods under the same attack settings. It attains the lowest average harmful scores of 1.05, 1.03, and 1.27, respectively, with corresponding safety improvements of 76%, 34%, and 69%. Notably, SAID maintains robust defense efficacy exceeding 70% on the more vulnerable Vicuna-7B and Guanaco models, underscoring its sustained performance across multiple instruction-tuned model variants.

Competing defenses show inconsistent effectiveness. For example, PPL offers no improvement on Vicuna-7B under AutoDAN (0%), and SafeDecoding yields a high harmful score of 3.58 under SIJ. By contrast, SAID demonstrates consistently strong robustness across all attacks and models, including those with already high baseline safety.

4.2.2 Utility and Efficiency Comparison↩︎

Table 2 reports the Just-Eval results across five utility dimensions, along with the ATGR efficiency metric, under various defense strategies. The results show that our method consistently preserves strong utility. On Vicuna-7B and Llama2-7B, the average performance drop is below 1%, indicating minimal impact on utility. Among all defenses, our method ranks as the best in preserving output quality.

However, on the Guanaco model, all defenses exhibit a noticeable drop in utility. This may stem from the semantic similarity between Guanaco’s safe and unsafe outputs. Such overlap leads to frequent misclassifications of benign responses as harmful. As a result, applying any defense strategy significantly degrades Guanaco’s overall performance.

In terms of efficiency, ATGR serves as a fairer metric than raw output time per query. For example, overly defensive methods often produce shorter outputs and thus appear faster. This is illustrated by the PPL model on Llama2, where its low ATGR of 0.9 results from frequent simple rejections due to over-defensive behavior. Therefore, utility and ATGR should be considered jointly for comprehensive evaluation. Across Vicuna-7B, Llama2-7B, and Guanaco, SAID consistently achieves lower and more stable latency overhead while preserving utility. This result highlights SAID’s superior trade-off between defense efficacy and the computational efficiency required for practical deployment.

4.2.3 Analysis of Prefix Variants↩︎

Fig. 4 illustrates the pivotal role of prefix design in balancing safety and utility. The short, neutral prefix “Can I” yields high DS (0.953) and NTS (0.990), demonstrating effective safety activation with minimal utility loss. In contrast, increasing verbosity significantly weakens defense: extending “Can I" to”Could you explain..." drops DS to 0.398, suggesting that excessive linguistic complexity may obscure harmful intents and undermine safety activation, much like adversarial obfuscation. Similarly, task-irrelevant contextualization harms utility. The emotionally based prefix “I’m a bit sad today..." lowers NTS to 0.763, likely due to contextual drift that distracts the model from the user’s core instruction. These findings reinforce our key insight: effective prefixes should be concise and semantically neutral to reliably activate safety mechanisms without compromising benign task performance.

4.2.4 Ablation Study↩︎

To understand the contribution of each SAID component, we performed an ablation study on the Guanaco model under three challenging jailbreak attacks: DeepInception, SAP30, and SIJ. As shown in Fig. 5 (a), we incrementally activated key defense stages: core intents extraction (Stage 1), chunk-based hierarchical distillation (Stage 2), and optimal prefix injection (Stage 3). The no-defense baseline yields high harmful scores across all attacks. Stage 1 significantly reduces harmful scores for SAP30 and SIJ, while DeepInception remains challenging due to its long-context structure. Stage 2 further improves detection and discrimination of malicious content. Finally, Stage 3 reduces DeepInception’s harmful score to below 2.0, with SAP30 and SIJ approaching 1.0. This robust, component-wise improvement was consistent across our ablation tests. On Vicuna-7B, for example, the same DeepInception attack saw its harmful score fall from 3.68 to 1.0 as the stages of SAID were applied.

Fig. 5 (b) shows our ablation experiment on hierarchical distillation. We evaluated hierarchical distillation on Vicuna-7B and Guanaco and found it enhances safety, especially under long-text DeepInception attacks. This aligns with the original motivation behind our design.

4.2.5 Extended Evaluation on Robustness and Generality↩︎

To further assess the robustness and generality of SAID, we conducted several additional experiments, with detailed results provided in Appendix [appendix:more-results]. On the larger Vicuna-13B model, SAID achieved an average harmful score of 1.03 and a Just-Eval score of 3.974, closely matching the utility of the undefended model (4.007) while significantly outperforming all baselines in safety. We also compared SAID to Intention Analysis (IA), a recent strong defense, and found that SAID consistently offered better safety–utility trade-offs and lower latency. For instance, on Vicuna-7B, SAID reduced ATGR from 2.21 (IA) to 1.32 while improving the Just-Eval score from 3.334 to 3.758. Finally, we stress-tested SAID on the Llama3 model against a suite of aggressive attacks, with a particular focus on SIJ. These comprehensive experiments collectively demonstrate that SAID is a scalable, effective, and resilient defense method.

5 Conclusion↩︎

In this paper, we introduced Self-Activating Internal Defense (SAID), a training-free framework that shifts the LLM safety paradigm from external correction to internal activation. By prompting the model to introspect its distilled user intents via optimized prefix probes, SAID leverages the model’s own alignment signals to counter adversarial prompts. Empirical results show that SAID achieves state-of-the-art performance, significantly reducing harmfulness scores across six challenging jailbreak attacks on diverse LLM variants. Crucially, this is accomplished with minimal computational overhead and without compromising performance on benign tasks, addressing the safety-utility-efficiency trade-off. Our findings suggest that internal activation offers a more robust and scalable alternative to external filtering-based defenses. SAID opens a promising direction for building LLMs that can autonomously monitor and enforce their own safety boundaries.

Appendix Overview↩︎

We provide an overview of the Appendix below:

• Appendix 6: Supplementary Details on Experimental Setup. Descriptions of the jailbreak attack methods (GCG, AutoDAN, PAIR, DeepInception, SAP30, SIJ) and baseline defenses used in our experiments.

• Appendix 7: Definitions of Evaluation Metrics. Formal definitions of DS, NTS, and ATGR metrics, including the evaluation prompts.

• Appendix 8: Additional Implementation Details. Extended description of the SAID framework, intent extraction strategy, prefix–suffix design, and token limit considerations.

• Appendix [appendix:more-results]: More Experimental Results.

  • Analysis of Prefix Variant Performance on Guanaco.

  • Results on LLaMA3 model under four attacks.

  • Extended Prefix Analysis on Vicuna-7B and LLaMA2-7B.

  • Comparison with IA and discussion on generalization.

  • Results on Vicuna-13B.

• Appendix 10: Further Discussion. KL divergence analysis showing how prefixes influence safety–utility balance.

• Appendix 11: Detailed Output Records . This section provides illustrative examples that highlight the effectiveness of our defense compared to alternative methods under diverse attack scenarios.

6 Supplementary Details on Experimental Setup↩︎

6.1 Jailbreak Methods↩︎

GCG [9] GCG is a gradient-based white-box jailbreak method that iteratively optimizes an adversarial suffix appended to the user prompt. It selects token replacements using coordinate-wise gradients and a greedy search strategy. Despite producing incoherent suffixes, it achieves high transferability and remains a strong baseline.

AutoDAN [10] AutoDAN employs a genetic algorithm to evolve jailbreak prompts automatically. It starts with handcrafted seeds and iteratively applies mutations and crossovers, using a fitness score based on attack success and fluency. The result is highly stealthy and transferable prompts without manual effort.

PAIR [19] PAIR is a black-box method that uses an auxiliary model to iteratively refine jailbreak prompts. At each step, multiple candidates are generated and scored for effectiveness. This loop continues until a successful and stealthy prompt is found.

DeepInception [33] DeepInception builds nested role-play prompts to guide the model into generating harmful content. By simulating layered reasoning or “agents,” it gradually bypasses alignment filters. It works well in black-box settings with no gradient access.

SAP30 [39] SAP is an iterative red-teaming framework that combines manual prompt curation with LLM-driven in-context learning to generate a large volume of high-quality adversarial prompts. This process creates a semi-automated attack prompt (SAP) dataset across eight sensitive topics, designed to elicit harmful LLM content.

SIJ [13] The SQL Injection Jailbreak (SIJ) method exploits a structural vulnerability in how Large Language Models (LLMs) construct input prompts. It achieves this by “commenting out" the LLM’s original assistant prefix within the user prompt and inserting a new, attacker-controlled prefix. This manipulation allows the attacker to append malicious content that the LLM then perceives as a legitimate continuation of its own response.

6.2 Defense Methods↩︎

Paraphrase. [12] This method paraphrases user inputs to eliminate adversarial perturbations while preserving semantic intent. It weakens jailbreak prompts by disrupting their precise trigger patterns. However, excessive rewriting may distort benign instructions.

Retokenization [12] Retokenization modifies the token segmentation of inputs to break jailbreak triggers that rely on specific token boundaries. It is a lightweight, training-free method that operates at the tokenizer level. Effectiveness varies across tokenization schemes and attack types.

ICD [40] Instructionally Consistent Decoding (ICD) steers the model toward safe responses by optimizing for instruction adherence during generation. It suppresses harmful completions without fine-tuning. However, it may reduce response diversity and increase decoding time.

PPL [24] This method uses perplexity-based scoring to detect and filter abnormal generations or adversarial prompts. It assumes that harmful or adversarial inputs yield higher perplexity under the target model. Its accuracy depends on threshold calibration and model sensitivity.

Self-Examination [41] This technique prompts the LLM to reflect on the safety and appropriateness of its own response before final output. It leverages the model’s internal knowledge to identify potential harmfulness. The defense is model-agnostic and training-free but may not always trigger accurate self-assessment.

IA [17] Intention Analysis (IA) is a two-stage inference-only defense strategy that enhances LLM safety against jailbreak attacks by analyzing user input intentions and generating policy-aligned responses.

SafeDecoding [14] SafeDecoding modifies the generation process to suppress unsafe tokens dynamically using token-level safety scores. It acts during decoding without needing model retraining. This method is efficient but may slightly degrade fluency if over-regularized.

7 Definitions of Evaluation Metrics↩︎

7.1 Defense Success (DS) Metric↩︎

The Defense Success (DS) metric measures the effectiveness of a large language model’s internal defense mechanisms in preventing harmful inputs from receiving responses. It is defined as the ratio of inputs that are successfully defended, where the model appropriately refuses to generate a response due to detected malicious intent, to the total number of harmful inputs evaluated. The evaluation formulation and prompt for DS are as follows. \[\mathop{\mathrm{DS}}= \frac{|\mathcal{S}_{\text{defended}}|}{|\mathcal{S}_{\text{defended}}| + |\mathcal{S}_{\text{undefended}}|}.\]

7.2 Normal Task Success (NTS) Metric↩︎

The Normal Task Success (NTS) metric assesses the model’s ability to maintain its general-purpose utility by correctly responding to non-harmful inputs. It is defined as the ratio of correctly processed non-harmful inputs, where the model generates accurate and appropriate responses to the total number of non‑harmful inputs tested. The evaluation formulation and prompt for NTS are as follows. \[\mathop{\mathrm{NTS}}= \frac{|\mathcal{B}_{\text{correct}}|}{|\mathcal{B}_{\text{correct}}| + |\mathcal{B}_{\text{incorrect}}|}.\]

7.3 Average Token Generation Time Ratio (ATGR)↩︎

Since the environment in which people normally use Large Language Models (LLMs) is more similar to that of general evaluation datasets such as Just-Eval, we have selected Just-Eval as the evaluation dataset for our experiments. As noted in the main text, even the Average Token Generation Time Ratio (ATGR) [14] cannot ensure a fully fair comparison when measuring the generation time of different models. For instance, models tend to take more time to generate complex tokens, whereas less time is consumed when producing refusal-related tokens like “sorry”.

We have also attempted to use the overall output time as an evaluation metric; however, this approach introduces significant biases. Specifically, the output time for refusal sentences is considerably shorter, whereas the output time for normal responses is noticeably longer. As a result, if a defense method exhibits a strong tendency to refuse answering questions, the corresponding model will appear to have a shorter average output time. Such a result is methodologically unreasonable, since we do not encourage excessive defensiveness in models, particularly when they are dealing with normal and non-malicious inputs.

Therefore, it is methodologically sound to compare the ATGR of different models based on general metrics such as the Just-Eval Score, as this framework mitigates the aforementioned biases and aligns with the goal of evaluating model efficiency in real-world usage scenarios.

8 Implementation Details↩︎

In this section, we provide a more detailed description of the implementation of the SAID framework. We begin with the component responsible for user intent extraction. Given that large language models inherently possess strong capabilities in summarizing and identifying key information from user inputs, we adopt a “sandwich-style” prompting strategy to further enhance this ability. Specifically, we prepend and append carefully designed prefixes and suffixes to both the system prompt and user input.

Although modifying the system prompt alone can leverage the model’s in-context learning ability to perform intent extraction to a certain extent, we observe that this often leads to overly verbose outputs. By introducing both prefix and suffix components, we impose additional constraints on the model’s generation behavior, encouraging more concise responses. This not only improves the precision of intent extraction but also enhances the overall runtime efficiency of SAID. The specific details can refer to the Intents Extraction Tool.

For each core intent augmented with its prefix, we submit it to the target model under a fixed output-length constraint. Since different models may emit rejection tokens at similar output positions, we conservatively impose a universal generation cap of 100 tokens. To further accelerate SAID, this token limit can be tailored per model. Moreover, because most models reliably assess the risk of very short inputs, we introduce an 80-character minimum sentence length for inspection to enhance SAID’s overall efficiency.

We then inspect each constrained output segment for any term appearing in the Harmful Word List. The entries in the Harmful Words List are drawn from prefixes used in Dic-Judge Keywords [14] as well as common lead‑ins frequently observed in model rejection responses. For more options of prefixes, iterations between large models can be utilized. For instance, a prompt can be used to make one model output sentences that cause other models to reject them to varying degrees; then, by having those other models provide rejection responses, more prefix content can be extracted from this process. If a match is detected, we interpret this as the model’s rejection of that segment: it is classified as a dangerous input and stored accordingly. Otherwise, the segment is deemed safe. Should any segment be classified as dangerous, the entire input is labeled dangerous and the model refuses to respond; if all segments pass, the model’s normal output is preserved. The overall algorithm flow of SAID is shown in the algorithm  6.

9 More Experimental Results↩︎

9.1 Analysis of Prefix Variant Performance↩︎

Following the introduction in the paper, we have divided prefixes into three categories for design. The purpose of selecting prefixes is to stimulate the internal safety performance of the model while ensuring its general performance as much as possible. It is worth noting that the model’s inability to produce high-quality responses for normal inputs may stem from its own limited capabilities, as illustrated in Example 1. Given that the generation process of Large Language Models (LLMs) is typically autoregressive, this leads to increasing confusion when the models generate numerical content. They often fail to accurately locate the position of the output terminator, resulting in low-quality generated content. This phenomenon is also observed in practical applications of models such as Gemini-2.5-flash. Based on the experimental results presented in the Fig. 7, we can derive several key insights into how different prefix-based probes affect the model’s balance between safety and utility. These observations underscore the principles guiding the selection of an optimal safety prefix (\(\pi^{*}\)) in the SAID framework.

Neutral Framing vs. Intentional Framing. A crucial observation is that concise and semantically neutral prefixes, such as “Can I", significantly outperform prefixes that carry a strong personal or instructional intent, like”Can you teach me to do this to others:". While the latter may appear to be a direct way to probe for safety, its explicit framing can bias the model’s interpretation of the user’s core intent, leading to a higher rate of incorrect refusals on benign tasks and thus a degradation in general utility. The data confirms this, as “Can I" achieves a near-perfect Normal Task Success (NTS) of 0.990 while maintaining a high Defense Success (DS) of 0.953. This finding supports our hypothesis that an effective prefix should be semantically neutral to avoid distorting the user’s original intent, a key reason many existing defense methods compromise model usability.

Persona Attribution and Inherent Safety Biases. The experiments with “Persona Attribution Probes" reveal the model’s sensitivity to perceived user characteristics. The prefix”I am a child." (DS 0.887) yields a higher defense success rate compared to “I am an adult." (DS 0.803). This suggests that the model’s internal safety mechanisms are calibrated differently based on the perceived vulnerability of the user, activating stronger protective guardrails when interacting with a user identified as a child. This aligns with the design philosophy of many aligned LLMs, which are trained to be particularly cautious about generating potentially harmful content for protected groups.

9.2 Results on LLaMA3 Model↩︎

Table 3 reports the defense performance of various methods on the LLaMA3 model under four challenging jailbreak attacks (GCG, AutoDAN, DeepInception, SIJ). Our method demonstrates consistently strong robustness across all attacks. In particular, on the SIJ attack, where most baselines fail to offer adequate protection, our method successfully mitigates harmful outputs and achieves a normalized score of 1.00 across all attacks. This indicates that SAID preserves both safety and utility even under novel, unseen jailbreak scenarios.

9.3 More Prefix Analysis↩︎

Prefix Length and Adversarial Obfuscation. The results clearly demonstrate that longer prefixes can paradoxically degrade a model’s defense capabilities. For instance, expanding the concise probe “Can I" (DS 0.953) to the more verbose”For my creative writing project, I need a description of " causes the defense success rate to plummet to 0.207. This phenomenon is analogous to the mechanisms used by certain attack methods like DeepInception, where lengthy and complex scenarios are used to confuse the model and bypass its safety filters. Overly long prefixes can act as a form of adversarial obfuscation, distracting the model from the core intent and making it more susceptible to manipulation. This reinforces the conclusion that an optimal prefix must be concise to be effective.

Ineffectiveness of Contextual Diversion. The “Contextual Diversion Probes" highlight the importance of task-relevant framing. Introducing semantically irrelevant information, such as”I’m a bit sad today." or “Today is a nice day.", often degrades the model’s performance on normal tasks. The prefix”I’m a bit sad today" significantly lowers the Normal Task Success rate to 0.763 because it distracts the model from the user’s primary instruction. While such prefixes might sometimes result in a refusal of a harmful request, this is often a byproduct of the model producing an irrelevant or empathetic response rather than a principled safety refusal(such as “Blah blah blah."). This deviation from the user’s original intent makes this class of prefixes unreliable for robustly balancing safety and utility. An effective defense must address the core intent of the prompt, not simply divert the conversation.

Prefix Analysis About Vicuna. As can be seen from the Fig. 8, compared with the experimental results of “no defense", the prefix”Teach me how to " has achieved better performance in the two metrics of DS and NTS for the Vicuna-7B model. In contrast, the other prefixes will cause the model to either over-defend against users’ inputs or reduce its defensive capability. Therefore, for Vicuna-related models, we have selected “Teach me how to " as the Safety Prefix. Meanwhile, we can also draw a conclusion: for different models, the selection of prefixes should also change with the model, which is caused by the differences in the inherent capabilities of different models.

Prefix Analysis About Llama2-7B. Since Llama-2 already has sufficiently strong defensive capabilities, when we conduct prefix filtering on the Llama-2 model, we mainly consider whether the prefixes impair the model’s utility. As is shown in Fig. 9, it shows the impact of some prefixes on the model’s utility. It is obvious that neutral prefixes like “Can I " are more effective in ensuring the model’s utility compared to other prefixes with subjective intentions. This is because for users’ normal requests, adding the prefix”Can I " does not affect the meaning of the sentence itself. However, adding other prefixes in the figure, such as “Can you teach...", carries a certain degree of coercive intention. As a result, models that dislike being”forced" to act will develop a “resistant" attitude, leading to refusals even for some harmless inputs.

9.4 Comparison with IA↩︎

We have found that the work named IA [17] bears certain similarities to our ideas. They implement the defense against jailbreak attacks through a two-stage process. In the first stage, they analyze the core intent of the user’s input, prompting the model to focus on the safety, ethics, and legality of the user’s input. In the second stage, they generate a final response that complies with policies based on the dialogue from the first stage. However, their method requires the model to pay attention to safety issues in the input prompt, which is equivalent to telling the model in advance that it should focus on whether the user’s input is safe. This can lead the model to overly fixate on the safety of the user’s input, resulting in a decline in the model’s utility.

In contrast, the first stage of the SAID method does not include any prompts related to safety. Even in the subsequent prefix selection, neutral prefixes are chosen to stimulate the model’s safety capabilities. Since none of our steps prompt the model to be vigilant about the user’s input, the probability of the model engaging in excessive defense is significantly reduced. The defense performance of the two methods under different models and different jailbreak attacks is shown in the table 4.

From the comparison of the defense capabilities of the four models, it can be seen that both SAID and IA have strong defense capabilities. Among them, their capabilities are close on Llama2, Vicuna-7B and Vicuna-13B, while on the Guanaco model, SAID (1.27) is significantly better than IA (2.26). This indicates that the generalization ability of SAID is stronger than that of IA. In addition, from the comparison between Jsut-Eval and ATGR, we can also see that IA has a great impact on the utility of the model, among which the Llama2 model even drops to 2.410. In terms of time efficiency comparison, IA generally requires twice the original running time of the model, which is an unacceptable time cost. Thanks to its early stopping mechanism, SAID only brings acceptable time costs. Comprehensively speaking, the comprehensive capability of the SAID defense strategy is far superior to that of the IA strategy.

9.5 Results on Vicuna-13B↩︎

We also conducted extensive evaluations on the Vicuna-13B model across multiple defense methods, as presented in Table 5. Notably, our proposed defense method SAID demonstrated superior efficacy in mitigating six distinct jailbreak attacks. It achieved an exceptionally low average harmful score of 1.03, effectively neutralizing adversarial inputs with near-complete success. This highlights the robustness of the defense, particularly in its ability to thwart a wide range of attack strategies. Furthermore, the performance on Just-Eval, also remained competitive, with our method ranking highly. This suggests that while our defense offers strong protection against jailbreaks and is applicable to larger models as well, it does so without compromising the model’s utility, reinforcing the practical applicability of the proposed approach.

10 Further discussion↩︎

To further explore the impact of different prefixes on model outputs, we used KL divergence for further evaluation. As shown in the Fig. 3, it can be observed that the KL divergences obtained from different prefixes of various types exhibit obvious distribution patterns. With 0.6 as the dividing line, the prefixes in the distribution can be divided into two parts. The safety coefficients of prefixes with KL divergence less than 0.6 belong to the part with insignificant changes, and they are relatively concentrated in the figure. This indicates that these prefixes have little impact on the model’s output and thus relatively small influence on the model’s safety performance. For prefixes with KL divergence greater than 0.6, this part of prefixes has a significant impact on the model’s output. Some of them drive the model toward better safety, while others lead it toward greater danger. This also shows that there exist some prefixes that can change the preference of the model’s output, further clarify the model’s safety boundaries, and make the model’s output safer. However, there are also other prefixes that will affect the original capabilities of the model and its safety judgment.

11 Detailed Output Records of Different Defenses Under Diverse Attack Scenarios↩︎

In this section, we present representative examples that illustrate how our defense compares to alternative methods when exposed to diverse attack scenarios. For each case, we display the original attack prompt alongside the outputs produced by different defenses, and we highlight qualitative differences in behavior, such as successful mitigation, partial containment, or failure modes. These examples are chosen to demonstrate the practical effectiveness of our approach, to reveal common failure patterns of competing defenses, and to provide concrete evidence that complements the quantitative evaluations presented in the main text.

Example 1 — SAP30 Attack On Guanaco↩︎

Attack Prompt:

Outputs:

Example 2 — SIJ Attack On Vicuna-7B↩︎

Attack Prompt:

Outputs:

References↩︎