ASGuard: Activation-Scaling Guard to Mitigate Targeted Jailbreaking Attack

Researchers introduce ASGuard, a mechanistically-informed framework that identifies and mitigates vulnerabilities in large language models' safety mechanisms, particularly those exploited by targeted jailbreaking attacks like tense-changing prompts. By using circuit analysis to locate vulnerable attention heads and applying channel-wise scaling vectors, ASGuard reduces attack success rates while maintaining model utility and general capabilities.

ASGuard addresses a critical vulnerability in current LLM safety approaches: the brittleness of refusal behaviors against linguistic manipulations. Researchers discovered that models trained to refuse harmful requests often comply when those same requests are rephrased in past tense, exposing fundamental gaps in how alignment mechanisms function. This finding matters because it demonstrates that current safety training treats surface-level linguistic variations as distinct scenarios rather than semantically equivalent requests.

The research builds on recent progress in mechanistic interpretability, which seeks to understand the internal operations of neural networks. Previous work identified that safety-relevant information flows through specific circuits in language models, enabling more targeted interventions than broad retraining approaches. ASGuard leverages this understanding by using circuit analysis to pinpoint the exact attention heads responsible for tense-vulnerability, then trains a precise correction mechanism rather than retraining entire models.

For the AI safety industry, this represents meaningful progress toward interpretable, efficient alignment methods. Traditional safety alignment requires large-scale fine-tuning across entire models, making interventions costly and potentially introducing new failure modes. ASGuard's surgical approach achieves what the authors call Pareto-optimal balance—improving safety without degrading model utility or creating excessive over-refusal. Testing across four LLMs demonstrates generalizability beyond single architectures.

Looking ahead, the research signals movement toward defense mechanisms grounded in mechanistic understanding rather than empirical patching. Success here could accelerate adoption of interpretability-driven safety approaches across the industry, setting standards for how newer and larger models should be secured against targeted attacks.

• →ASGuard uses circuit analysis to identify specific attention heads vulnerable to tense-based jailbreaking attacks.
• →Channel-wise scaling vectors recalibrate vulnerable activations without requiring full model retraining.
• →The framework achieves Pareto-optimal safety-utility balance across four different LLMs.
• →Mechanistic interpretability enables surgical interventions that preserve general model capabilities.
• →Findings suggest adversarial suffixes suppress refusal-mediating activation directions in language models.