ASGuard: Activation-Scaling Guard to Mitigate Targeted Jailbreaking Attack
| Authors | Yein Park et al. |
| Year | 2026 |
| HF Upvotes | 19 |
| arXiv | 2509.25843 |
| Download | |
| HF Page | View on Hugging Face |
Abstract
Large language models (LLMs), despite being safety-aligned, exhibit brittle refusal behaviors that can be circumvented by simple linguistic changes. As tense jailbreaking demonstrates that models refusing harmful requests often comply when rephrased in past tense, a critical generalization gap is revealed in current alignment methods whose underlying mechanisms are poorly understood. In this work, we introduce Activation-Scaling Guard (ASGuard), an insightful, mechanistically-informed framework that surgically mitigates this specific vulnerability. In the first step, we use circuit analysis to identify the specific attention heads causally linked to the targeted jailbreaking such as a tense-changing attack. Second, we train a precise, channel-wise scaling vector to recalibrate the activation of tense vulnerable heads. Lastly, we apply it into a "preventative fine-tuning", forcing the model to learn a more robust refusal mechanism. Across four LLMs, ASGuard effectively reduces the attack success rate of targeted jailbreaking while preserving general capabilities and minimizing over refusal, achieving a Pareto-optimal balance between safety and utility. Our findings underscore how adversarial suffixes suppress the propagation of the refusal-mediating direction, based on mechanistic analysis. Furthermore, our work showcases how a deep understanding of model internals can be leveraged to develop practical, efficient, and targeted methods for adjusting model behavior, charting a course for more reliable and interpretable AI safety.
Engineering Breakdown
Plain English
This paper addresses a critical vulnerability in safety-aligned large language models where simple linguistic rephrasing—like changing request tense from present to past—can bypass refusal mechanisms that were trained to reject harmful content. The authors introduce ASGuard, a mechanistically-informed defense that identifies and surgically blocks the specific attention heads responsible for this tense-jailbreaking vulnerability using circuit analysis. Rather than retraining the entire model, ASGuard learns precise channel-wise scaling vectors that recalibrate activations in the vulnerable pathways, preserving model capability while closing this specific attack surface.
Core Technical Contribution
The core novelty is combining mechanistic interpretability with targeted activation scaling to defend against linguistically-sophisticated jailbreaks. Instead of applying broad safety patches or expensive retraining, the authors use circuit analysis to pinpoint the causal attention heads that enable tense-based circumvention of refusal behavior, then train lightweight scaling vectors to suppress those specific pathways. This is mechanistically-informed rather than empirical—the defense targets the identified causal mechanism rather than treating symptoms. The approach is fundamentally different from prior alignment methods by explicitly modeling and intervening at the computational level where the vulnerability manifests.
How It Works
Step one uses circuit analysis on the LLM to trace which attention heads causally contribute to susceptibility to tense-changing attacks, isolating the computational pathways responsible for conflating 'past tense harmful request' with safe content. Step two trains a channel-wise scaling vector—a lightweight vector of learnable multipliers applied to activations in those identified heads—that recalibrates the model's internal representations without modifying weights. During inference, when an input arrives, the model processes it normally until reaching the vulnerable attention heads, where the learned scaling vector suppresses the jailbreak-enabling activations while preserving legitimate behavior. The scaling is surgical: it only intervenes on the specific channels and heads identified as causal, minimizing collateral damage to unrelated model capabilities.
Production Impact
For production systems, this offers a surgical alternative to expensive retraining or broad safety patches. Instead of rerunning RLHF or fine-tuning (which can take weeks and degrade performance), you can deploy ASGuard as a lightweight runtime defense—the scaling vectors are tiny relative to model size, adding negligible latency during inference. The approach scales: once you've identified vulnerable circuits for one attack pattern (like tense), you can probe for other linguistic variations and stack multiple scaling vectors with minimal overhead. The trade-off is that ASGuard requires mechanistic analysis upfront (circuit identification is computationally expensive), making it less suitable for zero-day attacks, but excellent for known vulnerability classes. Integration is straightforward—insert the scaling operation as a hook in the attention computation graph, making it compatible with existing deployment pipelines and quantization schemes.
Limitations and When Not to Use This
The paper's scope is narrowly focused on tense-based jailbreaks, and it's unclear whether the circuit identification process generalizes to other linguistic attack vectors or adversarial patterns without repeating expensive mechanistic analysis. ASGuard assumes the vulnerable circuits can be cleanly identified and isolated via circuit analysis, but this assumption may break down for more subtle attacks or models where harmful and benign reasoning paths are deeply entangled. The approach also requires white-box access to model internals for both circuit analysis and scaling vector placement, making it inapplicable to API-only models or systems where you control outputs but not hidden states. Finally, the paper doesn't address adaptive adversaries who might discover the scaling vectors themselves and craft attacks that work around them, nor does it provide evidence of robustness against distribution shift or fine-tuning that could erode the defense over time.
Research Context
This work advances the mechanistic interpretability agenda—using circuit analysis and causal intervention to understand and defend against vulnerabilities rather than treating models as black boxes. It builds on recent progress in attention head attribution and mechanistic explanations of model behavior, extending those tools into a defense framework. The paper fits within the broader safety research direction of moving from reactive red-teaming to proactive, principled defenses grounded in model internals. It opens the door to a new research direction: systematically mapping jailbreak-enabling circuits and building composable, mechanistic defenses against known attack patterns, potentially enabling safer deployment of frontier models without full retraining.
:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::
