
TLDR
- What: Ellipsoid Control (EC) is an inference-time jailbreak defense that uses Projected Gradient Descent (PGD) to steer hidden representation states toward refusal targets while strictly bound by a high-dimensional anisotropic ellipsoid fitted from benign data.
- Who's at risk: Enterprise LLM deployments (e.g., running LLaMA-3, Qwen-2.5, or Mistral-7B) that are highly vulnerable to embedding-space attacks (like SoftPrompt) or suffer from high over-refusal rates (exaggerated safety behaviors) on edge-case queries.
- Key number: Under the state-of-the-art white-box SoftPrompt embedding attack on LLaMA-3-8B, Ellipsoid Control reduces the Attack Success Rate (ASR) to 12.3% (down from 80.7% undefended and 55.7% under Circuit Breaker) while maintaining a low over-refusal rate of 19.3% (compared to Circuit Breaker's 48.4%).
As large language models (LLMs) transition from conversational interfaces to core decision-making infrastructure—powering tools like Cursor, agentic workflows, and database-connected RAG pipelines—securing their latent representations from adversarial manipulation has become a priority. While Representation Engineering (RepE) defenses have shown promise, existing methods rely heavily on "black-list" supervision: they learn transformations using collected datasets of harmful prompts.
This approach fails to generalize to unseen, out-of-distribution (OOD) jailbreaks and leads to aggressive over-refusal on harmless, boundary-case queries. In a new paper, Chen et al. (arXiv 2026) introduce Ellipsoid Control (EC), an inference-time defense that flips the script: it models a high-dimensional "white-list" of benign activation geometries, allowing targeted alignment steering without distorting normal model utility.
Threat Model
| Attacker | A black-box or white-box adversary with access to query embeddings or APIs, attempting to inject jailbreak suffixes (e.g., GCG, AutoDAN) or continuous embedding-space prompts (e.g., SoftPrompt) to bypass safety alignment. |
| Victim | Production inference servers hosting open-source aligned LLMs (e.g., LLaMA-3-8B-Instruct, Qwen2.5-7B-Instruct, Mistral-7B-v2). |
| Goal | Force the target model to generate harmful, illegal, or policy-violating content (e.g., weapon schematics, exploit code, hate speech). |
| Budget | Minimal to moderate; can range from executing simple black-box prompt optimization queries to generating specialized white-box embedding-space attacks offline. |
Background & The Core Limitations of Black-list Defenses
Traditional RepE-based safety defenses—such as Circuit Breaker (Zou et al., NeurIPS 2024), Latent Adversarial Training (Sheshadri et al., arXiv 2024), and Jailbreak Antidote (Shen et al., arXiv 2024)—train or steer models using paired datasets of "harmful" and "benign" examples. Chen et al. (arXiv 2026) identify two major flaws in this paradigm:
- The Unbounded Harmful Space (L1): Harmful prompts and jailbreak vectors occupy an infinitely diverse, unbounded space. A transformation learned on a finite dataset of bad prompts cannot defend against highly optimized latent space attacks, such as SoftPrompt (Schwinn et al., NeurIPS 2024), which effortlessly bypass under-protected latent regions.
- Pointwise Benign Preservation (L2): Existing defenses preserve benign behavior only pointwise, failing to capture the global topological structure of the benign latent distribution. Consequently, these models overfit and exhibit exaggerated safety behaviors, resulting in excessive over-refusal on boundary questions.
Defense Paradigms Compared
| Defense | Supervision Type | Optimization Timing | Benign Preservation Method | Vulnerable to Embedding Attacks? | Over-Refusal Risk |
|---|---|---|---|---|---|
| Circuit Breaker (Zou et al., 2024) | Black-list (Harmful vs. Benign) | Offline Fine-tuning | Mean squared error loss on activations | Yes (High ASR under SoftPrompt) | Extremely High (~48.4% on LLaMA-3) |
| Jailbreak Antidote (Shen et al., 2024) | Black-list (Harmful vs. Benign) | Inference-time (Global vector) | Sparse mask applied to steering vector | Yes (High ASR under SoftPrompt) | High (~45.4% on LLaMA-3) |
| HSF (Qian et al., WWW 2025) | Black-list (Boundary) | Inference-time (Classifier) | Half-space classifier separation | Yes | High (~57.2% on LLaMA-3) |
| Ellipsoid Control (Ours) | White-list (Benign Only) | Inference-time (Per-query) | Anisotropic Ellipsoid Projection | No (Low ASR; robust to SoftPrompt) | Low (~19.3% on LLaMA-3) |
Methodology: How Ellipsoid Control Works
Instead of trying to map the infinite boundaries of harmful inputs, Ellipsoid Control models the finite, abundant, and accessible manifold of benign activations. It consists of an offline preparation phase and an online inference-time optimization loop.
Offline Phase:
[Benign Dataset (UltraChat)] ──> [Extract Hidden States (Layer l)] ──> [SVD Decomposition] ──> [Anisotropic Ellipsoid (U, Σ)]
Online Phase (Per query):
[User Prompt] ──> [Extract h(l)] ──> [PGD: Maximize Refusal Likelihood]
│
[Constrained drift via Ellipsoid Projection (U, Σ, ε)]
│
▼
[Safe Model Response]
Step 1: Offline Benign Constraint Construction
Using a corpus of 100k benign instructions sampled from UltraChat (Ding et al., EMNLP 2023), the defender extracts the last-token hidden states at a designated safety-sensitive layer .
The data is centralized and normalized relative to the mean benign hidden state :
Singular Value Decomposition (SVD) is then performed to define the global anisotropic ellipsoid:
Each unit vector in represents an independent semantic direction in the latent space, while its singular value quantifies how densely benign data populates that direction.
Step 2: Online Per-Query Optimization via PGD
For every incoming query, EC optimizes a custom drift matrix for projected gradient descent steps. The objective is to maximize the log-likelihood of the model outputting a hardcoded refusal string (such as "I am sorry, but I cannot"):
Where the steered representation is given by:
Step 3: Anisotropic Ellipsoid Projection
To ensure that benign queries are not modified, is projected back onto the feasible ellipsoid set . Rather than utilizing an isotropic spherical constraint (which treats all directions equally), EC implements an axis-wise hard constraint scaled by the covariance spectrum :
Where is the actual drift vector scaled by semantic density. High-energy semantic directions (large ) are tightly constrained to preserve critical model capabilities, while weakly populated directions (small ) are allowed more freedom to elicit refusal behavior.
The closed-form projection step computed at each iteration is:
The complete online algorithm is detailed below:
def project_ellipsoid(delta, U, Sigma, epsilon):
# Step 1: Compute drift along semantic directions
Z = delta @ U
D = Z @ Sigma
# Step 2: Scale and clip drift along each axis
lambdas = torch.clamp(epsilon / torch.norm(D, dim=0), max=1.0)
D_clip = D * lambdas
# Step 3: Back-solve to obtain minimally-distorted drift matrix
delta_proj = delta + (D_clip - D) @ torch.inverse(Sigma) @ U.T
return delta_proj
Key Results
Chen et al. (arXiv 2026) evaluated Ellipsoid Control across three open-source LLMs (LLaMA-3-8B-Instruct, Mistral-7B-v2, and Qwen2.5-7B-Instruct) using Harmbench for safety evaluations, ORBench for boundary over-refusal rates (ORR), and MMLU/MT-Bench for general utility.
Robustness & Utility Evaluation (Table I)
| Model & Defense | GCG ASR ↓ | AutoDAN ASR ↓ | GPTFuzz ASR ↓ | SoftPrompt ASR ↓ | MMLU % ↑ | MT-Bench ↑ | Boundary ORR ↓ |
|---|---|---|---|---|---|---|---|
| LLAMA3-8B (Baseline) | 44.3% | 3.3% | 29.0% | 80.7% | 68.5% | 8.1 | 14.3% |
| + Circuit Breaker | 2.7% | 0.0% | 3.3% | 55.7% | 68.3% | 8.0 | 48.4% |
| + Jailbreak Antidote | 3.0% | 0.0% | 9.7% | 64.3% | 67.8% | 7.9 | 45.4% |
| + Ellipsoid Control (Ours) | 2.3% | 0.0% | 4.0% | 12.3% | 68.3% | 8.0 | 19.3% |
| Mistral-7B-v2 (Baseline) | 91.0% | 89.7% | 92.3% | 98.3% | 65.6% | 7.6 | 7.2% |
| + Circuit Breaker | 11.3% | 0.0% | 15.7% | 57.7% | 65.6% | 7.5 | 82.7% |
| + Ellipsoid Control (Ours) | 9.0% | 0.0% | 12.7% | 25.3% | 65.5% | 7.5 | 14.5% |
| QWEN-2.5-7B (Baseline) | 72.7% | 62.3% | 79.3% | 90.3% | 79.7% | 8.8 | 9.6% |
| + Jailbreak Antidote | 9.7% | 3.3% | 26.7% | 59.7% | 76.5% | 8.4 | 48.8% |
| + Ellipsoid Control (Ours) | 6.0% | 0.0% | 8.0% | 20.0% | 79.4% | 8.7 | 17.4% |
Key Takeaways from the Results:
- Resilience to Latent/Embedding Attacks: On LLaMA-3-8B, the SoftPrompt attack easily bypasses Circuit Breaker (55.7% ASR) and Jailbreak Antidote (64.3% ASR). Ellipsoid Control neutralizes the attack, holding the ASR to 12.3%.
- Solving the Over-Refusal Problem: For safety boundary queries (ORBench), Circuit Breaker over-refuses 48.4% of the time on LLaMA-3 and an unacceptable 82.7% on Mistral-7B. Ellipsoid Control drops these rates to 19.3% and 14.5% respectively, preserving conversational utility.
- Utility Maintained: General academic knowledge performance (MMLU) and chatbot capability (MT-Bench) remain virtually identical to the undefended base models when using EC.
Limitations & Open Questions
While Ellipsoid Control is highly effective, security practitioners should keep these limitations in mind:
- The "Benign Void" Exploit: EC models the benign latent space as a single, convex, uni-modal ellipsoid. In reality, LLM hidden states form fragmented, multi-modal clusters. This leaves "benign voids"—regions inside the boundary of the fitted ellipsoid that contain no real benign samples. A sophisticated white-box adaptive attacker could design adversarial prompts targeting these unmonitored latent voids.
- Computational Overhead: Because EC performs PGD optimization steps per request, it adds computational overhead. As Section V describes, running optimization steps is equivalent to generating 20 additional tokens. While Table III shows that this remains practical in production (averaging a 1.32-second overhead per sample on Qwen2.5-7B), it is still slower than simple feed-forward generation.
What Practitioners Should Do
If you are deploying open-source LLMs in safety-critical, enterprise environments, consider these steps to implement Ellipsoid Control:
1. Identify and Profile the Target Layer
Use the activation analysis methods outlined by Arditi et al. (2024) to locate the layer that acts as the "safety bottleneck" of your model (usually around layer 15 for 8B models, or layer 21 for Qwen-2.5-7B).
2. Extract and Store Benign Covariance Offline
Do not attempt to compute SVD on-the-fly. Run an offline pipeline using PyTorch hooks to collect activations on a benign dataset (such as UltraChat), then compute and cache the SVD components (). For memory-constrained setups, use the chunked SVD approach described in Section V:
# Chunked SVD estimation
import torch
def compute_chunked_svd(hidden_states_list, chunk_size=1000):
concatenated_S = []
for chunk in hidden_states_list:
U_c, S_c, V_c = torch.linalg.svd(chunk, full_matrices=False)
concatenated_S.append(U_c @ torch.diag(S_c))
S_concat = torch.cat(concatenated_S, dim=1)
U_final, S_final, _ = torch.linalg.svd(S_concat, full_matrices=False)
return U_final, S_final
3. Implement Per-Token PGD Hooks in Your Inference Server
Wrap your inference engine (e.g., vLLM or HuggingFace TGI) to intercept the hidden activations of the last prompt token at the designated layer. Run the 10-step PGD optimization loop utilizing the stored and matrices before proceeding with autoregressive decoding.
The Takeaway
Chen et al. (arXiv 2026) demonstrate that effective LLM safety does not require modeling every potential malicious attack vector. By transitioning from a black-list paradigm to an anisotropic white-list boundary, Ellipsoid Control closes the loop on highly evasive embedding-space jailbreaks while preventing models from turning into over-sensitive, unhelpful systems. For high-risk, production-grade LLM applications, combining lightweight system safety filters with latent space ellipsoid modeling represents a robust defense against adversarial prompt manipulation.
Den's Take
What excites me about Ellipsoid Control is the conceptual shift from playing whack-a-mole with "harmful" prompts to mathematically bounding what "benign" looks like. In my experience securing LLMs, black-list safety approaches are a fool’s errand; the space of adversarial inputs is mathematically infinite. By modeling a high-dimensional anisotropic ellipsoid of benign activations, this defense offers an elegant solution to the over-refusal problem that plagues current production systems.
However, as a practitioner, my immediate concern is the computational overhead of running Projected Gradient Descent (PGD) at inference time. If you are running an automated customer support agent for a $50M fintech platform, adding iterative optimization steps to every token generation is a non-starter for latency budgets.
This shift toward securing latent spaces directly addresses the systemic vulnerabilities I discussed in Security in the Fine-Tuning Lifecycle of Large Language Models: Threats, Defenses,Evaluation, and Future Directions, where we analyzed how easily standard post-hoc safety guardrails are shattered when adversaries bypass superficial alignment to manipulate the underlying model representations. While Ellipsoid Control is a massive step forward in preventing these latent exploits without ruining model utility, we must find ways to optimize its execution footprint before it can be realistically integrated into high-throughput enterprise pipelines.