Papers
Topics
Authors
Recent
Search
2000 character limit reached

DefensiveToken: Token-Level Security

Updated 4 July 2026
  • DefensiveToken is a family of token-centric defenses that attach security controls at the token level rather than on full-sequence classifiers.
  • Its approaches include explicit token insertions, single-token sentinels, activation-based gates, and probability shaping to counter various attack methods.
  • These mechanisms offer a flexible control interface that balances robust security against prompt injections with minimal impact on model utility.

DefensiveToken denotes a family of token-centric defense mechanisms in which security control is attached to tokens, token representations, or token-level probability mass rather than only to full-sequence classifiers or global retraining. In the explicit formulation introduced for prompt injection, DefensiveTokens are newly inserted as special tokens whose embeddings are optimized for security and prepended at test time; in broader usage, recent work extends the same logic to single-token sentinels, last-token activation gates, probability-shaping over early tokens, tokenizer-level anomaly scores, token-level data selection, and multimodal token suppression (Chen et al., 10 Jul 2025).

1. Conceptual scope and taxonomy

The most concrete definition of DefensiveToken is the one given by "Defending Against Prompt Injection With a Few DefensiveTokens" (Chen et al., 10 Jul 2025): a small number of new special tokens are added to the vocabulary, their embeddings are optimized while the base model weights remain fixed, and system developers can prepend them only in security-sensitive cases. The resulting mechanism is a test-time defense with a flexible on/off switch: with the tokens present, the model gains prompt injection robustness; without them, the model behaves as the original base model. The paper formalizes the defended input as [t;x][t; x], where t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e} are learned defensive embeddings and xRk×ex\in\mathbb{R}^{k\times e} is the original input embedding sequence (Chen et al., 10 Jul 2025).

Subsequent work uses the term in a broader, more abstract sense. "STShield: Single-Token Sentinel for Real-Time Jailbreak Detection in LLMs" treats a single extra output token as a binary safety indicator, effectively a one-token defense interface attached to the model’s own generation head (Wang et al., 23 Mar 2025). "GUARD-SLM: Token Activation-Based Defense Against Jailbreak Attacks for Small LLMs" treats the last-token hidden state at a selected layer as a safety sentinel whose geometry in activation space determines whether decoding is allowed, even though no explicit token is inserted (Mia et al., 28 Mar 2026).

A useful synthesis is that DefensiveToken is not yet a single standardized architecture. Current usage spans at least four regimes: explicit learned prefix tokens, output-side sentinel tokens, implicit activation tokens, and token-level distribution or selection mechanisms. This suggests that the unifying idea is not the surface form of a token, but the use of a small token-level control interface as the locus of defense.

2. Explicit inserted tokens and single-token sentinels

In the explicit prompt-injection defense, the learned token embeddings tt are optimized with the loss

LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),

where θ\theta is fixed and only tt is trained on a StruQ-style defensive instruction-tuning dataset constructed from self-labeled Cleaned Alpaca data. With n=5n=5 defensive tokens, one epoch of training, and learning rate $0.1$, the method attains average ASR 0.24%0.24\% on TaskTracker across Llama3-8B-Instruct, Llama3.1-8B-Instruct, Falcon3-7B-Instruct, and Qwen2.5-7B-Instruct, while utility changes on AlpacaEval2 are small and sometimes favorable; random initialization outperforms vocabulary-based initialization, and prepending the tokens at the start is critical, since end insertion can drive WinRate down to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}0 even when ASR reaches t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}1 (Chen et al., 10 Jul 2025).

STShield implements a different explicit token interface. For an input prompt t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}2, the model is trained to generate a normal answer t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}3, then t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}4, then a binary detection token t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}5. The full target sequence is

t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}6

This uses the existing LM head rather than a separate classifier head. On Vicuna-13B, STShield reports t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}7 ASR on DAN, t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}8 on MultiJail, AlpacaEval Prefix ASR t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}9, MT-Bench xRk×ex\in\mathbb{R}^{k\times e}0 versus xRk×ex\in\mathbb{R}^{k\times e}1 for no defense, and latency close to no defense because the additional cost is essentially one extra decode step after EOS (Wang et al., 23 Mar 2025).

"One Trigger Token Is Enough: A Defense Strategy for Balancing Safety and Usability in LLMs" reports a related observation: safety-aligned LLMs and multiple defense strategies generate highly similar initial refusal tokens, termed safety trigger tokens, and the proposed D-STT explicitly decodes a safety trigger constrained to a single token (Gu et al., 12 May 2025). Taken together, these works indicate that, in many aligned LLMs, the first token or first few tokens of a refusal trajectory function as a compact control point for downstream safety behavior.

3. Implicit activation controllers and decoding-time probability shaping

GUARD-SLM replaces explicit token insertion with an activation-space gate. For a decoder-only transformer with hidden states xRk×ex\in\mathbb{R}^{k\times e}2, it extracts the last-token activation at a selected layer,

xRk×ex\in\mathbb{R}^{k\times e}3

standardizes it, and feeds it to an RBF-kernel SVM xRk×ex\in\mathbb{R}^{k\times e}4. If xRk×ex\in\mathbb{R}^{k\times e}5, generation is blocked; otherwise the model decodes normally. The paper shows that optimized jailbreak prompts form distinct activation clusters across layers, that middle and late layers often give near-perfect separability, and that on LLaMA-2-7B-Chat the defended model reaches xRk×ex\in\mathbb{R}^{k\times e}6 ASR on all attacks except Jailbroken, where ASR is xRk×ex\in\mathbb{R}^{k\times e}7, with inference time xRk×ex\in\mathbb{R}^{k\times e}8s and xRk×ex\in\mathbb{R}^{k\times e}9 additional tokens (Mia et al., 28 Mar 2026).

At decoding time, a related family of methods treats token probabilities themselves as the defensive control surface. "Alignment-Enhanced Decoding:Defending via Token-Level Adaptive Refining of Probability Distributions" defines a Competitive Index

tt0

where tt1 is the size of the top-tt2 candidate set and tt3 is an upper bound estimated from harmless data. It then computes post-alignment logits tt4 by re-running the model on its own generated output and forms

tt5

with tt6 determined by the gap between tt7 and tt8. The effect is to increase refusal-token probability when competing harmful and harmless continuations are simultaneously present, while preserving high Not Rejection Rate on benign datasets (Liu et al., 2024).

LightDefense uses a simpler token-level bias. It estimates a safety-oriented direction tt9 from early-token distributions of safe refusals and unsafe responses, defines a restricted candidate space LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),0, and shifts early-token logits by LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),1. The strength LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),2 is set by an uncertainty score LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),3, with LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),4 for LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),5 and LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),6 for LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),7; the paper reports Pearson correlation LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),8 between uncertainty and harmfulness, ATGR LtDefensiveToken(x,y)=logpθ,t(y[t;x]),\mathcal{L}_t^{\text{DefensiveToken}}(x,y) = -\log p_{\theta,t}(y \mid [t;x]),9, SHB θ\theta0 on Vicuna and θ\theta1 on Llama2, and near-zero ASR on XSTest and several jailbreak attacks without major BAR degradation (Yang et al., 2 Apr 2025).

A training-time analogue appears in TokenBuncher, where the “token” being defended is the model’s output distribution itself. TokenBuncher minimizes token-level entropy on harmful queries using entropy-as-reward RL,

θ\theta2

and corrupts low-probability tokens with a Token Noiser so that RL-based harmful fine-tuning cannot exploit reward gradients to reopen harmful modes. Across PPO, GRPO, RLOO, and REINFORCE++, Harmful Scores on Qwen2.5-7B-Instruct drop from roughly θ\theta3 on HarmBench/StrongREJECT under GRPO to θ\theta4, while GSM8K, MATH, and MMLU-pro remain close to the base model (Feng et al., 28 Aug 2025).

4. Tokenization, anomaly localization, and substitution-based defenses

A second major branch uses token-level anomaly signals rather than inserted control tokens. RTD-Guard is a strict black-box detector for word-substitution adversarial examples. It computes per-token replacement probabilities θ\theta5, masks the top-θ\theta6 suspicious tokens, queries the victim model on θ\theta7 and θ\theta8, and scores the example by

θ\theta9

With tt0 and threshold tt1, the method uses exactly two victim queries, no adversarial training data, and on 11 of 12 dataset–attack combinations attains the highest detection metrics; on AG-News/TextFooler it reports tt2 for TPR10/F1/AUC, and total runtime is tt3s on tt4 examples (Zhu et al., 13 Mar 2026).

Broken-Token focuses on obfuscated jailbreak prompts by exploiting BPE inefficiency. It defines average characters per token

tt5

and classifies prompts as obfuscated when tt6. Across more than tt7 prompts and four tokenizers, thresholding CPT yields tt8 accuracy and tt9 F1 on combined obfuscations, with tokenizer-specific thresholds such as n=5n=50 for GPT-4o and n=5n=51 for Llama 3.2 (Zychlinski et al., 30 Oct 2025).

TokenBreak inverts the perspective by showing that tokenization itself is an attack surface: a single prepended character can cause BPE or WordPiece classifiers to miss malicious content. The proposed defense places a Unigram tokenizer in front of BPE or WordPiece models and maps Unigram tokens back to the base tokenizer without retraining. This reduces mean TokenBreak success across BPE and WordPiece models from n=5n=52 to n=5n=53; for WordPiece prompt injection it drops from n=5n=54 to n=5n=55, and for WordPiece toxicity from n=5n=56 to n=5n=57 (Schulz et al., 9 Jun 2025).

For training-stage backdoor defense, "Defense Against Syntactic Textual Backdoor Attacks with Token Substitution" preserves potential trigger carriers in n=5n=58, replaces semantically meaningful tokens with same-POS tokens associated with a different class, and flags an input as poisoned when the original label persists with high confidence over repeated substitutions. On Hidden Killer syntactic triggers, recall is n=5n=59 in all reported settings, and F1 commonly exceeds $0.1$0 across SST-2, AG’s News, and DBpedia14 (Li et al., 2024).

5. Training-time token selection, unlearning, and privacy defense

In safe fine-tuning, DefensiveToken ideas reappear as token-level data curation. TOSS trains a safety-degraded model $0.1$1 and a utility-oriented model $0.1$2, scores each response token by

$0.1$3

globally masks the top $0.1$4 fraction of risky tokens, and fine-tunes on the remaining tokens only. On Llama-3-8B-Instruct, vanilla SFT on the mixed REDORCA data yields ASR $0.1$5 on Anthropic HH and HEx-PHI; TOSS reduces this to $0.1$6, and TOSS-Pro further to $0.1$7, while average win rate over two safety benchmarks and one utility benchmark rises from $0.1$8 for SFT to $0.1$9 for TOSS and 0.24%0.24\%0 for TOSS-Pro (Li et al., 1 Mar 2026).

DuoLearn applies the same token-level perspective to privacy. Using a reference model 0.24%0.24\%1, it scores each token by

0.24%0.24\%2

selects top-0.24%0.24\%3 hard tokens for learning and bottom-0.24%0.24\%4 memorized tokens for unlearning, and optimizes

0.24%0.24\%5

On GPT-2 fine-tuned on Wikipedia, FT gives PPL 0.24%0.24\%6 and reference-based MIA AUC 0.24%0.24\%7; DPSGD gives PPL 0.24%0.24\%8 and AUC 0.24%0.24\%9; DuoLearn gives PPL t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}00 and AUC t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}01, with TPR@1\% near zero and substantially better utility than DPSGD (Tran et al., 27 Feb 2025).

Backdoor Token Unlearning localizes suspicious trigger tokens in the embedding layer by measuring

t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}02

taking the top t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}03 tokens across multiple detection rounds, and then replacing only high-change embedding dimensions with the padding-token dimensions according to a mean-distance threshold t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}04. On SST-2 under Add-Word, ASR drops from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}05 to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}06 while ACC changes from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}07 to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}08; on AG News under Add-Word, ASR drops from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}09 to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}10 (Jiang et al., 5 Jan 2025). These results extend the DefensiveToken abstraction from jailbreak resistance to poisoning and privacy: the defended object is again a small, identifiable subset of tokens whose dynamics disproportionately encode the threat.

6. Multimodal extensions, evaluation regimes, and unresolved issues

The concept also extends beyond text-only LLMs. In diffusion model unlearning, "The Dual Power of Interpretable Token Embeddings: Jailbreaking Attacks and Defenses for Diffusion Model Unlearning" learns orthogonal attack token embeddings

t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}11

uses them to identify a harmful concept subspace t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}12, and then projects all vocabulary embeddings to the orthogonal complement,

t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}13

For ESD on nudity, SubDefense reduces ASR from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}14 to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}15 against SubAttack and from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}16 to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}17 against CCE, at the cost of some benign quality degradation as more token embeddings are blocked (Chen et al., 30 Apr 2025).

In multimodal prompt injection, GTM identifies critical image tokens rather than text tokens. It computes a Hidden-State Gradient Norm score

t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}18

for each image token t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}19, masks the top-t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}20 tokens, and then decodes normally. With a t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}21 masking ratio, GTM drives ASR on VMA to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}22 on Qwen2-VL and near zero on Phi-3-Vision and LLaVA-1.5, while inference time rises from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}23s to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}24s and memory from t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}25 GiB to t=(t1,,tn)Rn×et = (t_1,\dots,t_n)\in\mathbb{R}^{n\times e}26 GiB on Qwen2-VL-7B (Zhang et al., 24 May 2026). This suggests that the abstraction naturally covers text tokens, image tokens, and CLIP token embeddings.

Across the literature, several recurring limitations remain. Explicit inserted tokens are flexible, but optimization-based white-box attacks such as GCG remain stronger against them than against full training-time defenses (Chen et al., 10 Jul 2025). Activation-space and classifier-space defenses depend on the training distribution and may be vulnerable to representation-level adaptive attacks (Mia et al., 28 Mar 2026). Tokenization-based defenses can over-flag multilingual or benign out-of-distribution text, and CPT-based filtering explicitly weakens when non-Latin scripts are introduced (Zychlinski et al., 30 Oct 2025). Token-level safe fine-tuning improves the safety–utility trade-off, but it still requires reference data, calibrated discard ratios, and additional forward passes during training (Li et al., 1 Mar 2026).

The current evidence therefore supports a narrow but important conclusion. DefensiveToken is best understood as a research program centered on low-dimensional, token-level control points for model security. In explicit form, it is a learned special-token prefix; in implicit form, it is a sentinel token, a last-token activation, a token-level bias direction, or a token subset selected for masking or unlearning. The common claim across these variants is that a small token-level interface can control disproportionately large safety behavior. The common open problem is whether that interface can remain robust under stronger adaptive optimization without surrendering the utility advantages that made the DefensiveToken paradigm attractive in the first place.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (16)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to DefensiveToken.