Large Language Models (LLMs) have achieved remarkable success in natural language processing but remain vulnerable to jailbreak attacks that bypass built-in safety mechanisms and induce the generation of harmful content. Existing defense methods often rely on static prompt modifications or post-generation filtering, neglecting the dynamic nature of the decoding process. In this paper, we propose StreamGuard, a lightweight and plug-and-play defense framework that enhances LLM safety by intervening during the decoding stage. StreamGuard integrates a self-review mechanism to assess the safety of intermediate outputs and conditionally performs prompt insertion to steer generation back to safe trajectories. Extensive experiments on two open-source instruction-tuned models (LLaMA3.1-8B-Instruct and Qwen2.5-7B-Instruct) against three representative jailbreak attacks (AutoDAN, GCG, DeepInception) demonstrate that StreamGuard significantly reduces attack success rates—dropping from 66% to 6% on AutoDAN—while preserving model utility. Our method requires no model fine-tuning, exhibits strong generalizability, and complements existing static defenses. We release our code and evaluation benchmarks to facilitate reproducibility and future research.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

StreamGuard: A Streaming-Based Defense Against Jailbreaking Attacks in Large Language Models

  • Laizhen Li,
  • Xitong Gao,
  • Xuan Wang,
  • Juanjuan Zhao,
  • Kejiang Ye

摘要

Large Language Models (LLMs) have achieved remarkable success in natural language processing but remain vulnerable to jailbreak attacks that bypass built-in safety mechanisms and induce the generation of harmful content. Existing defense methods often rely on static prompt modifications or post-generation filtering, neglecting the dynamic nature of the decoding process. In this paper, we propose StreamGuard, a lightweight and plug-and-play defense framework that enhances LLM safety by intervening during the decoding stage. StreamGuard integrates a self-review mechanism to assess the safety of intermediate outputs and conditionally performs prompt insertion to steer generation back to safe trajectories. Extensive experiments on two open-source instruction-tuned models (LLaMA3.1-8B-Instruct and Qwen2.5-7B-Instruct) against three representative jailbreak attacks (AutoDAN, GCG, DeepInception) demonstrate that StreamGuard significantly reduces attack success rates—dropping from 66% to 6% on AutoDAN—while preserving model utility. Our method requires no model fine-tuning, exhibits strong generalizability, and complements existing static defenses. We release our code and evaluation benchmarks to facilitate reproducibility and future research.