Image generated by AI
TLDR
- What: Activation-Guided GCG optimizes adversarial suffixes by minimizing projection onto a model's internal, low-dimensional refusal direction, paired with Soft-GCG (SGCG) which replaces discrete search with a continuous Gumbel-Softmax relaxation.
- Who's at risk: Open-weight LLMs (specifically Llama-2-7b-chat and Gemma 3 models below 12B parameters) deployed with white-box access or optimized locally before transfer attacks.
- Key number: Soft-GCG achieves a 33× to 43× speedup over standard GCG (2.5 minutes vs 81 minutes for 2,000 steps) while matching or exceeding standard attack success rates.
Cracking LLM Alignment from the Inside Out: Activation-Guided GCG and Gumbel-Softmax Suffix Optimization
Security researchers and red-teamers have long relied on Greedy Coordinate Gradient (GCG) to bypass LLM safety guardrails. However, standard GCG operates on a superficial behavioral proxy—optimizing inputs to force specific target output tokens like "Sure, here is..."—while ignoring the model's internal state. This paper by Cakar et al. (Harvard University) breaks the assumption that optimization must target output token logits. By fusing adversarial suffix generation with representation engineering, they demonstrate that targeting a model’s internal, low-dimensional "refusal direction" directly yields highly effective jailbreak suffixes. Simultaneously, they introduce a continuous relaxation using the Gumbel-Softmax distribution to solve the massive computational bottleneck of discrete suffix search.
Threat Model
| Dimension | Details |
|---|---|
| Attacker | White-box adversary with full access to the target model's weights, gradients, and internal residual stream activations during the suffix-optimization phase. |
| Victim | Safety-aligned, open-weight chat models (e.g., Llama-2-7b-chat-hf, Gemma 3 family). |
| Goal | Generate a short, universal, or prompt-specific adversarial text suffix that disables the model's safety alignment and forces harmful content generation. |
| Budget | Minimal. Can run on a single consumer-grade GPU in under 3 minutes per prompt (down from nearly 1.5 hours with standard GCG). |
Background & Related Work
This work sits at the intersection of discrete adversarial prompt optimization and representation-level safety interventions. Below is a comparison highlighting how this approach improves upon prior paradigms:
| Method | Optimization Space | Target Objective | Computational Cost | Core Limitation |
|---|---|---|---|---|
| GCG (Zou et al. 2023) | Discrete Token Space | Target sequence log likelihood | Extremely High (hours per run) | Behavior-only proxy; easily stuck in local minima; massive discretization overhead. |
| Directional Ablation (Arditi et al. 2024) | Activation Space | Direct projection removal of the refusal direction during inference | Negligible (at inference time) | Requires white-box runtime modifications; cannot be used to craft transportable, input-space exploits. |
| PEZ (Wen et al. 2023) | Continuous Discrete | Task-specific embedding projection | Moderate | High projection gap; struggles significantly under adversarial settings. |
| AutoDAN / PAIR (Liu et al. 2024; Chao et al. 2023) | Black-Box Token Space | LLM-guided mutation and refinement | High Query Volume | Relies heavily on helper models; struggles with strict non-refusal patterns. |
| Activation-Guided GCG / SGCG (This Work) | Continuous (Gumbel-Softmax) or Discrete guided by inner states | Minimized projection onto internal refusal vector | Low (33× speedup) | Requires white-box access during training (though the resulting text suffix is fully portable). |
Technical Deep-Dive
1. Extracting the Target Refusal Direction
Following the difference-in-means methodology introduced by Arditi et al. (2024), the authors construct a dataset of paired harmful and harmless instructions. They record the residual stream activations at layer and token position (typically the last instruction token, ) to compute the mean activation vector for both sets:
This vector is normalized to construct the refusal direction unit vector:
By analyzing candidate layers, the authors select the optimal layer for Llama-2-7b-chat-hf as the target layer where the safety representation is most concentrated.
2. Activation-Guided Objective Functions
Rather than optimizing the standard cross-entropy loss over output tokens, Activation-Guided GCG replaces the objective with loss terms targeting the internal hidden states of the forward pass. They evaluate five spatial and depth hypotheses:
- Single: Targets only the single most critical activation layer and position:
- Negative: Actively pushes the projection to be negative, driving the model to oppose refusal:
- Layer: Probes spatial locality across all token positions at a fixed depth ( represents token positions):
- Token: Targets depth locality at a single position across all layers:
- All (Global): Suppresses the refusal projection globally across all layers and token positions:
3. Soft-GCG: Bridging the Projection Gap
Discrete search in GCG is computationally expensive because it evaluates a large set of candidate substitutions () via forward passes at every step. Soft-GCG replaces this with continuous optimization.
To maintain differentiability while ensuring the continuous representation can converge to discrete one-hot tokens, the authors parameterize the suffix using the Gumbel-Softmax distribution. At each suffix position , they maintain a set of learnable logits . During the forward pass, a "soft" token vector is calculated as:
where are i.i.d. samples used to escape local minima, and is a temperature parameter. The input embedding for the suffix is then approximated by multiplying with the vocabulary embedding matrix :
As temperature , the soft token vectors converge to a discrete one-hot representation, minimizing the "projection gap" that typically breaks continuous prompt tuning methods like PEZ.
The authors use a 3-Phase "Slushy" Annealing Schedule to manage this transition:
- Exploration (0% - 50% steps): decays from $2.5 \to 1.0$. High entropy allows broad traversal of the embedding space.
- Refinement (50% - 75% steps): decays from $1.0 \to 0.5$. The structure begins to form while remaining flexible.
- Solidification (75% - 100% steps): decays from $0.5 \to 0.01$, forcing the continuous soft vectors to snap directly to real discrete tokens.
Algorithmic Implementation
import torch
import torch.nn.functional as F
def soft_gcg_step(model, embeddings_matrix, phi, prompt_tokens, target_tokens, temp, lr=0.1):
"""
Performs a single step of Soft-GCG optimization.
phi: Learnable suffix logits [suffix_len, vocab_size]
"""
optimizer = torch.optim.Adam([phi], lr=lr)
optimizer.zero_grad()
# 1. Sample from Gumbel noise
gumbel_noise = -torch.log(-torch.log(torch.rand_like(phi) + 1e-20) + 1e-20)
# 2. Compute soft token probabilities
soft_tokens = F.softmax((phi + gumbel_noise) / temp, dim=-1)
# 3. Project to continuous embedding space
soft_embeddings = torch.matmul(soft_tokens, embeddings_matrix) # [suffix_len, embed_dim]
# 4. Concatenate prompt, soft suffix, and target embeddings
prompt_embeds = model.embed_tokens(prompt_tokens)
target_embeds = model.embed_tokens(target_tokens)
input_embeds = torch.cat([prompt_embeds, soft_embeddings, target_embeds], dim=0)
# 5. Forward pass and compute loss (e.g., Carlini-Wagner Loss)
logits = model(inputs_embeds=input_embeds.unsqueeze(0)).logits
loss = compute_carlini_wagner_loss(logits, target_tokens)
# 6. Backward pass to update logits
loss.backward()
optimizer.step()
return loss.item()
Experimental Results
The authors systematically evaluated their approaches on Llama-2-7b-chat-hf using the AdvBench dataset and compared them against standard baseline runs.
1. Activation-Guided GCG vs. Baselines (200 Steps)
Evaluating different activation loss objectives against standard GCG reveals a massive boost in sample efficiency when targeting internal activations:
| Method | Substring ASR | LlamaGuard 4 ASR | HarmBench ASR |
|---|---|---|---|
| Baseline (No Suffix) | 0.39 | 0.00 | 0.00 |
| Directional Ablation (Upper Bound) | 0.98 | 0.54 | 0.62 |
| All (Global Act. Loss) | 0.91 | 0.09 | 0.01 |
| Single Layer/Pos Loss | 0.84 | 0.06 | 0.04 |
| Negative Projection Loss | 0.81 | 0.03 | 0.03 |
| Layer-Only Act. Loss | 0.81 | 0.03 | 0.01 |
| Token-Only Act. Loss | 0.76 | 0.00 | 0.00 |
| Standard GCG | 0.76 | 0.00 | 0.00 |
Critical Observations on Table 1:
- The Good: At 200 steps, the "All" (Global) objective achieves a 0.91 Substring ASR—outperforming standard GCG (0.76) and approaching the ablation limit of 0.98. This demonstrates that suppressing the refusal representation globally yields highly effective, sample-efficient gradients.
- The Catch: Despite the high Substring ASR (which checks for simple evasion of refusal phrases like "I cannot"), the actual HarmBench ASR for the "All" objective is 0.01 (1%), and LlamaGuard 4 is only 0.09. This shows that while the attack successfully suppresses the generation of direct refusal phrases, it often fails to steer the model into generating high-quality harmful payloads. The Single layer/position loss actually achieved a slightly higher HarmBench ASR (0.04), but still remains practically ineffective under robust evaluations.
2. Continuous Soft-GCG vs. Vanilla GCG Efficiency
The real breakthrough of the paper is the optimization speed. By bypassing discrete combinatorial search, Soft-GCG (SGCG) achieves parity in attack success while running vastly faster:
- Vanilla GCG (2000 steps): 81 minutes
- Soft-GCG (2000 steps): 2.5 minutes
- Speedup: 33× (with shorter 500-step runs reaching ~43× speedup).
3. Scaling Resistance in Gemma 3
To test how these vulnerabilities hold up to scale, the authors ran SGCG against the Gemma 3 family. The results demonstrate a brutal scaling cliff:
| Model | Parameter Scale | Substring ASR* |
|---|---|---|
| Gemma3-270m | 270M | 1.000 ± 0.000 (Model became incoherent) |
| Gemma3-1b | 1B | 0.577 ± 0.031 |
| Gemma3-4b | 4B | 0.336 ± 0.104 |
| Gemma3-12b | 12B | 0.000 ± 0.000 |
ASR marked with an asterisk for the 270m model due to output incoherence post-optimization.
This scaling behavior suggests a representational phase transition: larger models do not represent safety as a simple, low-dimensional linear subspace that can be easily suppressed via gradient optimization. Instead, safety constraints appear to be encoded in higher-rank, non-linear manifolds.
Limitations & Open Questions
- The Scaling Cliff: SGCG completely fails (0.00% ASR) on the 12B parameter Gemma 3 model. If scaling naturally distributes refusal representations beyond the reach of low-dimensional projections, representation-guided attacks may be fundamentally limited to smaller model families.
- Incoherent Suffixes: On ultra-small models (like Gemma3-270m), successful attacks often degrade the model's language capabilities entirely, leading to incoherent generations rather than useful jailbreaks.
- The Substring Metric Illusion: High Substring ASR does not equal a high-quality jailbreak. Suppressing the refusal direction stops the model from saying "I'm sorry", but it doesn't guarantee the model will successfully complete the harmful prompt. Often, the model ends up in a state of confused babble.
What Practitioners Should Do
If you are defending, auditing, or deploying LLMs, you should adapt your security posture immediately:
- Abandon Shallow Evaluation Metrics: Do not measure safety robustness using substring matching (looking for "I'm sorry" or "As an AI"). This paper proves that activation-guided attacks can easily silence these behavioral indicators while failing to secure or fully break the model. Use multi-turn, LLM-as-a-judge evaluators like LlamaGuard or HarmBench.
- Harden Internal Representations via Adversarial Training: Standard alignment is a surface-level behavioral patch. Model developers should employ adversarial training that penalizes models when their internal activations map to low-dimensional steering vectors (like known refusal directions).
- Inference-Time Activation Monitoring: Implement lightweight projection checks on the residual streams at key bottlenecks (e.g., intermediate layers like layer 14 on 7B models). If the projection of the activation onto the known refusal direction is anomalously low while handling sensitive topics, flag the generation.
- Adopt Hybrid Defenses: Combine weight-orthogonalization techniques (which project out refusal steering directions) with external input guardrails to prevent attackers from finding continuous trajectories into the model's soft embedding spaces.
The Takeaway
Activation-Guided GCG and Soft-GCG prove that behavioral alignment in small models is remarkably thin; their internal safety mechanisms are low-dimensional and incredibly vulnerable to continuous optimization. However, the complete failure of these attacks on models above 12B parameters points to a structural shift in how larger models organize safety representations, highlighting that raw model scale remains one of our best structural defenses.
Den's Take
Standard GCG has always felt like a brute-force sledgehammer—deeply impractical for real-world red teaming due to its massive computational overhead. That’s why this work excites me: Cakar et al. actually make suffix optimization practical by replacing discrete searches with Gumbel-Softmax relaxation (Soft-GCG), bringing optimization times for 2,000 steps down from 81 minutes to just 2.5 minutes.
But the real intellectual leap here is shifting the optimization target from superficial behavioral token matching (like forcing the model to output "Sure, here is") to targeting the internal residual stream's refusal direction. As I have argued previously, shallow behavioral alignment is easily bypassed because it fails to secure deeper representation layers; this paper proves that point mathematically by showing that directly minimizing activation projection onto this low-dimensional refusal vector completely bypasses safety guardrails.
However, let's keep our boots on the ground. The white-box requirement during the optimization phase means this is not an instant exploit against closed-weights APIs, even if the resulting suffixes do exhibit some transferability. Still, for local security auditing of open-weight models like Llama-2-7b-chat and Gemma 3, this drastically lowers the bar for generating highly effective exploits.