Modern large language models (LLMs) are typically secured by auditing data, prompts, and refusal policies, while treating the forward pass as an implementation detail. We show that intermediate activations in decoder-only LLMs form a vulnerable attack surface for behavioral control. Building on recent findings on attention sinks and compression valleys, we identify a high-gain region in the residual stream where small, well-aligned perturbations are causally amplified along the autoregressive trajectory--a Causal Amplification Effect (CAE). We exploit this as an attack surface via Sensitivity-Scaled Steering (SSS), a progressive activation-level attack that combines beginning-of-sequence (BOS) anchoring with sensitivity-based reinforcement to focus a limited perturbation budget on the most vulnerable layers and tokens. We show that across multiple open-weight models and four behavioral axes, SSS induces large shifts in evil, hallucination, sycophancy, and sentiment while preserving high coherence and general capabilities, turning activation steering into a concrete security concern for white-box and supply-chain LLM deployments.
翻译:现代大型语言模型(LLMs)通常通过审计数据、提示词和拒绝策略来保障安全,而将前向传播过程视为实现细节。我们发现,仅解码器架构的LLMs中的中间激活状态构成了行为控制的一个脆弱攻击面。基于近期关于注意力汇聚点和压缩谷的研究,我们在残差流中识别出一个高增益区域,其中微小且对齐良好的扰动会沿着自回归轨迹被因果放大——即因果放大效应(CAE)。我们通过敏感度缩放引导(SSS)将其转化为攻击面:这是一种渐进式激活层攻击方法,结合序列起始(BOS)锚定与基于敏感度的强化机制,将有限的扰动资源集中作用于最脆弱的层和词元上。实验表明,在多个开源权重模型及四个行为维度(恶意性、幻觉、谄媚性、情感倾向)上,SSS能引发显著的行为偏移,同时保持高度连贯性和通用能力,从而使激活引导成为白盒及供应链LLM部署中切实的安全威胁。
相关内容
微信扫码咨询专知VIP会员