-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
272 lines (235 loc) · 13.8 KB
/
Copy pathindex.html
File metadata and controls
272 lines (235 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<!-- Meta tags for social media banners, these should be filled in appropriatly as they are your "business card" -->
<!-- Replace the content tag with appropriate information -->
<meta name="description" content="DESCRIPTION META TAG">
<meta property="og:title" content="SOCIAL MEDIA TITLE TAG"/>
<meta property="og:description" content="SOCIAL MEDIA DESCRIPTION TAG TAG"/>
<meta property="og:url" content="URL OF THE WEBSITE"/>
<!-- Path to banner image, should be in the path listed below. Optimal dimenssions are 1200X630-->
<meta property="og:image" content="static/image/your_banner_image.png" />
<meta property="og:image:width" content="1200"/>
<meta property="og:image:height" content="630"/>
<meta name="twitter:title" content="TWITTER BANNER TITLE META TAG">
<meta name="twitter:description" content="TWITTER BANNER DESCRIPTION META TAG">
<!-- Path to banner image, should be in the path listed below. Optimal dimenssions are 1200X600-->
<meta name="twitter:image" content="static/images/your_twitter_banner_image.png">
<meta name="twitter:card" content="summary_large_image">
<!-- Keywords for your paper to be indexed by-->
<meta name="keywords" content="KEYWORDS SHOULD BE PLACED HERE">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>ARMOR: Aligning Secure and Safe Large Language Models via Meticulous Reasoning</title>
<link rel="icon" type="image/x-icon" href="static/images/favicon.ico">
<link href="https://fonts.googleapis.com/css?family=Google+Sans|Noto+Sans|Castoro"
rel="stylesheet">
<link rel="stylesheet" href="static/css/bulma.min.css">
<link rel="stylesheet" href="static/css/bulma-carousel.min.css">
<link rel="stylesheet" href="static/css/bulma-slider.min.css">
<link rel="stylesheet" href="static/css/fontawesome.all.min.css">
<link rel="stylesheet"
href="https://cdn.jsdelivr.net/gh/jpswalsh/academicons@1/css/academicons.min.css">
<link rel="stylesheet" href="static/css/index.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://documentcloud.adobe.com/view-sdk/main.js"></script>
<script defer src="static/js/fontawesome.all.min.js"></script>
<script src="static/js/bulma-carousel.min.js"></script>
<script src="static/js/bulma-slider.min.js"></script>
<script src="static/js/index.js"></script>
</head>
<body>
<section class="hero">
<div class="hero-body">
<div class="container is-max-desktop">
<div class="columns is-centered">
<div class="column has-text-centered">
<h1 class="title is-1 publication-title">ARMOR: Aligning Secure and Safe Large Language Models via Meticulous Reasoning</h1>
<div class="is-size-5 publication-authors">
<!-- Paper authors -->
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Zhengyue Zhao</a><sup>1</sup>,</span>
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Yingzi Ma</a><sup>2</sup>,</span>
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Somesh Jha</a><sup>2</sup>,</span>
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Marco Pavone</a><sup>3,4</sup>,</span>
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Patrick McDaniel</a><sup>2</sup>,</span>
<span class="author-block">
<a href="{https://safo-lab.github.io/llm-armor/" target="_blank">Chaowei Xiao</a><sup>1</sup></span>
</span>
</div>
<div class="is-size-5 publication-authors">
<span class="author-block"><sup>1</sup>Johns Hopkins University <sup>2</sup>University of Wisconsin-Madison<br><sup>3</sup>Stanford University <sup>4</sup>NVIDIA<br></span>
<!-- <span class="eql-cntrb"><small><br><sup>*</sup>Indicates Equal Contribution</small></span> -->
</div>
<div class="column has-text-centered">
<div class="publication-links">
<!-- ArXiv abstract Link -->
<span class="link-block">
<a href="https://arxiv.org/abs/2507.11500v2" target="_blank"
class="external-link button is-normal is-rounded is-dark">
<span class="icon">
<i class="ai ai-arxiv"></i>
</span>
<span>arXiv</span>
</a>
</span>
<!-- Github link -->
<span class="link-block">
<a href="https://github.com/SaFo-Lab/armor" target="_blank"
class="external-link button is-normal is-rounded is-dark">
<span class="icon">
<i class="fab fa-github"></i>
</span>
<span>Code</span>
</a>
</span>
<!-- Arxiv PDF link -->
<!-- <span class="link-block">
<a href="https://arxiv.org/pdf/<ARXIV PAPER ID>.pdf" target="_blank"
class="external-link button is-normal is-rounded is-dark">
<span class="icon">
<i class="fas fa-file-pdf"></i>
</span>
<span>Paper</span>
</a>
</span> -->
</div>
</div>
</div>
</div>
</div>
</div>
</section>
<section class="hero is-small">
<div class="hero-body">
<div class="container" style="max-width: 800px; margin: 0 auto;">
<img src="static/images/overview.svg" style="display: block; margin: 0 auto;" alt="Overview" width="100%"/>
<h2 class="content has-text-justified">
<b>Figure 1. Overview of ARMOR:</b> Reasoning-based safety-aligned LLMs encounter "hidden intent injection" when facing adaptive jailbreak attacks, resulting in a misaligned output. In contrast, ARMOR extracts the core intent of the instruction with a jailbreak strategy analysis, along with a policy-based safety analysis, demonstrating robustness to adaptive jailbreak attacks.
</div>
</div>
</section>
<!-- Paper abstract -->
<section class="section hero is-light">
<div class="container is-max-desktop" style="max-width: 800px; margin: 0 auto;">
<div class="columns is-centered has-text-centered">
<div class="column is-four-fifths">
<h2 class="title is-3">Abstract</h2>
<div class="content has-text-justified">
<p>
Large Language Models have shown impressive generative capabilities across diverse tasks, but their safety remains a critical concern. Existing post-training alignment methods, such as SFT and RLHF, reduce harmful outputs yet leave LLMs vulnerable to jailbreak attacks, especially advanced optimization-based ones. Recent system-2 approaches enhance safety by adding inference-time reasoning, where models assess potential risks before producing responses. However, we find these methods fail against powerful out-of-distribution jailbreaks, such as AutoDAN-Turbo and Adversarial Reasoning, which conceal malicious goals behind seemingly benign prompts. We observe that all jailbreaks ultimately aim to embed a core malicious intent, suggesting that extracting this intent is key to defense. To this end, we propose ARMOR, which introduces a structured three-step reasoning pipeline: (1) analyze jailbreak strategies from an external, updatable strategy library, (2) extract the core intent, and (3) apply policy-based safety verification. We further develop ARMOR-Think, which decouples safety reasoning from general reasoning to improve both robustness and utility. Evaluations on advanced optimization-based jailbreaks and safety benchmarks show that ARMOR achieves state-of-the-art safety performance, with an average harmful rate of 0.002 and an attack success rate of 0.06 against advanced optimization-based jailbreaks, far below other reasoning-based models. Moreover, ARMOR demonstrates strong generalization to unseen jailbreak strategies, reducing their success rate to zero. These highlight ARMOR’s effectiveness in defending against OOD jailbreak attacks, offering a practical path toward secure and reliable LLMs. </p>
</div>
</div>
</div>
</div>
</section>
<!-- End paper abstract -->
<section class="hero is-small">
<div class="hero-body">
<div class="container" style="max-width: 800px; margin: 0 auto;">
<h2 class="title">Method</h2>
<div style="margin-bottom: 2rem;">
<h2 class="subtitle has-text-justified">
Details of construction of Meticulous Reasoning Steps, which contains the <b>strategy analysis</b> step, <b>intent analysis</b> step, and <b>safety analysis</b> step followed with the <b>final answer</b>. Each step is build with the ground truth data including the intent (original prompt), the jailbreak prompt, the specified strategy and the related safety policy.
</h2>
</div>
<img src="static/images/build.svg" style="display: block; margin: 2rem auto;" alt="Construction" width="85%"/>
<h2 class="subtitle has-text-centered">
<b>Figure 2.</b> Construction of Meticulous Reasoning.
</h2>
<div style="margin: 2rem 0;">
<p class="subtitle has-text-justified">
The framework of ARMOR consists of the following steps: (1) Construct the Meticulous Reasoning steps with jailbreak prompts, their coordinate ground truth (GT) jailbreak strategy and intent, and the safety policy; (2) Format the reasoning steps with inputs involving the user's prompts and the system prompt consists of a dynamic strategy library and the safety policy; (3) Train the base model to get the ARMOR model; (4) Conduct inference of ARMOR with a custom strategy library and the safety policy; (5) Conduct test-time scaling with the DPO model and PRM trained on preference data generated from grounded tree sampling.
</p>
</div>
<img src="static/images/method.svg" style="display: block; margin: 2rem auto;" alt="Framework" width="100%"/>
<p class="subtitle has-text-centered">
<b>Figure 3.</b> Framework of ARMOR.
</p>
</div>
</div>
</section>
<section class="hero is-small">
<div class="hero-body">
<div class="container" style="max-width: 800px; margin: 0 auto;">
<h2 class="title">Result</h2>
<img src="static/images/Results.png" style="display: block; margin: 0 auto;" alt="Results" width="90%"/>
</div>
</div>
</section>
<section class="hero is-small">
<div class="hero-body">
<div class="container" style="max-width: 800px; margin: 0 auto;">
<h2 class="title">Examples</h2>
<div id="results-carousel" class="carousel results-carousel">
<div class="item">
<!-- Your image here -->
<img src="static/images/case_jailbreak.svg" style="display: block; margin: 0 auto;" alt="Results" width="80%"/>
<h2 class="subtitle has-text-centered">
An example of jailbreak prompt.
</h2>
</div>
<div class="item">
<!-- Your image here -->
<img src="static/images/case_harmful.svg" style="display: block; margin: 0 auto;" alt="Results" width="80%"/>
<h2 class="subtitle has-text-centered">
An example of direct harmful prompt.
</h2>
</div>
<div class="item">
<!-- Your image here -->
<img src="static/images/case_benign.svg" style="display: block; margin: 0 auto;" alt="Results" width="80%"/>
<h2 class="subtitle has-text-centered">
An example of benign prompt.
</h2>
</div>
</div>
</div>
</div>
</section>
<!--
<section class="hero is-small">
<div class="hero-body">
<div class="container">
<h2 class="title">Example</h2>
<img src="static/images/case_jailbreak.svg" style="display: block; margin: 0 auto;" alt="Example" width="60%"/>
<h2 class="content has-text-justified">
An example of jailbreak prompt.
</h2>
</div>
<img src="static/images/case_harmful.svg" style="display: block; margin: 0 auto;" alt="Example" width="50%"/>
<h2 class="content has-text-justified">
An example of direct harmful prompt.
</h2>
</div>
<img src="static/images/case_benign.svg" style="display: block; margin: 0 auto;" alt="Example" width="50%"/>
<h2 class="content has-text-justified">
An example of benign prompt.
</h2>
</div>
</div>
</section> -->
<footer class="footer">
<div class="container">
<div class="columns is-centered">
<div class="column is-8">
<div class="content">
<p>
This page was built using the <a href="https://github.com/eliahuhorwitz/Academic-project-page-template" target="_blank">Academic Project Page Template</a> which was adopted from the <a href="https://nerfies.github.io" target="_blank">Nerfies</a> project page.
<!-- You are free to borrow the source code of this website, we just ask that you link back to this page in the footer. <br> This website is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/" target="_blank">Creative
Commons Attribution-ShareAlike 4.0 International License</a>. -->
</p>
</div>
</div>
</div>
</div>
</footer>
<!-- Statcounter tracking code -->
<!-- You can add a tracker to track page visits by creating an account at statcounter.com -->
<!-- End of Statcounter Code -->
</body>
</html>