Obfuscated Activations Bypass LLM Latent-Space Defenses

This paper investigates adversarial attacks that generate obfuscated activations to evade latent-space monitoring defenses in LLMs. Within the taxonomy, it occupies the 'Obfuscated Activation Attacks' leaf under 'Adversarial Attacks on Latent-Space Defenses', where it is currently the sole paper. This positioning reflects a relatively sparse research direction focused specifically on activation obfuscation, contrasting with the more populated defense mechanisms branch (which contains multiple leaves spanning detection, steering, and adversarial training approaches). The work directly challenges the assumption that harmful behaviors leave detectable traces in hidden states.

The taxonomy reveals substantial activity in neighboring defense mechanisms. The 'Latent-Space Defense Mechanisms' branch contains three major categories: activation-based detection (including hidden state filtering and vision-language jailbreak detection), steering interventions (concept-based safety and controllable frameworks), and adversarial training methods (with four distinct leaves covering refusal robustness, calibration, feature-specific training, and bi-level optimization). The paper's attack methodology directly targets the first category, while the 'Theoretical Foundations' branch provides complementary analysis of safety-relevant subspaces and robustness measurement frameworks. Only one sibling leaf exists in the attacks branch: reasoning-style poisoning, which operates through document retrieval rather than activation manipulation.

Among thirty candidates examined, none clearly refute the three core contributions. The obfuscation attack methodology (ten candidates examined, zero refutable) appears novel in its systematic demonstration that state-of-the-art probes and OOD detectors can be evaded while maintaining high jailbreak success rates. The practical guidance for monitor deployment (ten candidates, zero refutable) and the obfuscation tax discovery (ten candidates, zero refutable) similarly show no substantial prior overlap within the limited search scope. The statistics suggest these contributions occupy relatively unexplored territory, though the modest candidate pool means the search captured top semantic matches rather than exhaustive coverage of all latent-space defense literature.

The analysis reflects a focused but limited literature search rather than comprehensive field coverage. The taxonomy structure indicates this work addresses a recognized gap—attacks specifically targeting latent monitors—in a field where defensive mechanisms have received more attention. The absence of refutable candidates across all contributions, combined with the sparse attack branch, suggests the work explores relatively fresh ground within the examined scope, though broader searches might reveal additional relevant prior work in adjacent areas like adversarial training or general jailbreak techniques.