Exploring and Developing a Pre-Model Safeguard with Draft Models

A pre-model jailbreak guard that invokes a draft model to generate a partial response before the target model sees the prompt, enabling safety auditing of both the input and the anticipated output. This dual-signal approach catches attacks that evade prompt-only guards by embedding harmful intent across multiple benign-looking turns.

Abstract

Large Language Model (LLM) alignment remains vulnerable to jailbreak attacks that elicit unsafe responses, motivating pre-model and post-model guards. Pre-model guards audit the safety of prompts before invoking target models. However, relying solely on the prompt often leads to high false-negative rates (i.e., jailbreak attacks go undetected). Post-model guards address this issue by auditing both the user prompt and the target model's response. However, they incur a high computational cost, including increased token usage and processing time, because they operate after target model inference. In this paper, we introduce a safeguard design that leverages the transferability of jailbreak attacks to enforce prompt safety before target model inference. We first conduct a systematic study of jailbreak transferability, particularly from LLMs to small language models (SLMs). Through these experiments, we identify key factors influencing transferability. Building on these insights, we observe that responses from smaller draft models reflect the safety implications of those from large target models; i.e., given a jailbreak prompt constructed for an LLM, an SLM is likely to be triggered to generate an unaligned response. Based on this observation, our safeguard design leverages speculative inference with SLMs to generate a set of draft responses. It then feeds the original prompt and these drafts into existing guards to predict their safety. We demonstrate that this design reduces the false-negative rate of pre-model guards and offers a low prompt-to-response time alternative to post-model guards. Compared to pre-model guards, our safeguard design reduces the false-negative rate of jailbreak prompts by an average of 32.4%. Relative to post-model guards, our safeguard design reduces the false-negative rate by an average of 17.38% and reduces prompt-to-response time by 97.07% (Llama-3-70B-Instruct-AWQ). For benign prompts, our safeguard design achieves the same accuracy on benign prompts of 98% as both pre- and post-guards, with a minimal latency increase of 0.59%. Notice: This paper contains examples of harmful language.