增强越狱攻击与防御的因果视角

Large Language Models (LLMs) face significant security challenges from jailbreak attacks, which aim to bypass safety alignments and induce harmful content generation. Existing defense mechanisms often rely on heuristics or specific attack patterns, lacking a deep understanding of the underlying mechanisms of jailbreak attacks. This paper presents the first systematic analysis of jailbreak attacks from a causal perspective. We propose a causal graph model to characterize the relationships among LLMs, prompts, jailbreak behaviors, and harmful outputs. By identifying and intervening on key causal paths, we reveal that the core of successful jailbreak attacks lies in manipulating the LLM's internal states through specific prompts, thereby circumventing safety constraints. Based on this causal insight, we develop two novel strategies: Causal Jailbreak Attack (CJA) and Causal Jailbreak Defense (CJD). CJA significantly enhances jailbreak success rates by identifying and activating causal paths leading to harmful outputs, outperforming existing state-of-the-art attacks. Conversely, CJD effectively strengthens model defenses by blocking or modifying these critical paths. Experimental results demonstrate that our causal approach not only provides profound insights into jailbreak mechanisms but also exhibits superior attack and defense performance in practical applications. This work opens new directions for future LLM security research, emphasizing the importance of causal reasoning in building more robust and secure AI systems.