DefensiveToken: Token-Level Security
- DefensiveToken is a family of token-centric defenses that attach security controls at the token level rather than on full-sequence classifiers.
- Its approaches include explicit token insertions, single-token sentinels, activation-based gates, and probability shaping to counter various attack methods.
- These mechanisms offer a flexible control interface that balances robust security against prompt injections with minimal impact on model utility.
DefensiveToken denotes a family of token-centric defense mechanisms in which security control is attached to tokens, token representations, or token-level probability mass rather than only to full-sequence classifiers or global retraining. In the explicit formulation introduced for prompt injection, DefensiveTokens are newly inserted as special tokens whose embeddings are optimized for security and prepended at test time; in broader usage, recent work extends the same logic to single-token sentinels, last-token activation gates, probability-shaping over early tokens, tokenizer-level anomaly scores, token-level data selection, and multimodal token suppression (Chen et al., 10 Jul 2025).
1. Conceptual scope and taxonomy
The most concrete definition of DefensiveToken is the one given by "Defending Against Prompt Injection With a Few DefensiveTokens" (Chen et al., 10 Jul 2025): a small number of new special tokens are added to the vocabulary, their embeddings are optimized while the base model weights remain fixed, and system developers can prepend them only in security-sensitive cases. The resulting mechanism is a test-time defense with a flexible on/off switch: with the tokens present, the model gains prompt injection robustness; without them, the model behaves as the original base model. The paper formalizes the defended input as , where are learned defensive embeddings and is the original input embedding sequence (Chen et al., 10 Jul 2025).
Subsequent work uses the term in a broader, more abstract sense. "STShield: Single-Token Sentinel for Real-Time Jailbreak Detection in LLMs" treats a single extra output token as a binary safety indicator, effectively a one-token defense interface attached to the model’s own generation head (Wang et al., 23 Mar 2025). "GUARD-SLM: Token Activation-Based Defense Against Jailbreak Attacks for Small LLMs" treats the last-token hidden state at a selected layer as a safety sentinel whose geometry in activation space determines whether decoding is allowed, even though no explicit token is inserted (Mia et al., 28 Mar 2026).
A useful synthesis is that DefensiveToken is not yet a single standardized architecture. Current usage spans at least four regimes: explicit learned prefix tokens, output-side sentinel tokens, implicit activation tokens, and token-level distribution or selection mechanisms. This suggests that the unifying idea is not the surface form of a token, but the use of a small token-level control interface as the locus of defense.
2. Explicit inserted tokens and single-token sentinels
In the explicit prompt-injection defense, the learned token embeddings are optimized with the loss
where is fixed and only is trained on a StruQ-style defensive instruction-tuning dataset constructed from self-labeled Cleaned Alpaca data. With defensive tokens, one epoch of training, and learning rate $0.1$, the method attains average ASR on TaskTracker across Llama3-8B-Instruct, Llama3.1-8B-Instruct, Falcon3-7B-Instruct, and Qwen2.5-7B-Instruct, while utility changes on AlpacaEval2 are small and sometimes favorable; random initialization outperforms vocabulary-based initialization, and prepending the tokens at the start is critical, since end insertion can drive WinRate down to 0 even when ASR reaches 1 (Chen et al., 10 Jul 2025).
STShield implements a different explicit token interface. For an input prompt 2, the model is trained to generate a normal answer 3, then 4, then a binary detection token 5. The full target sequence is
6
This uses the existing LM head rather than a separate classifier head. On Vicuna-13B, STShield reports 7 ASR on DAN, 8 on MultiJail, AlpacaEval Prefix ASR 9, MT-Bench 0 versus 1 for no defense, and latency close to no defense because the additional cost is essentially one extra decode step after EOS (Wang et al., 23 Mar 2025).
"One Trigger Token Is Enough: A Defense Strategy for Balancing Safety and Usability in LLMs" reports a related observation: safety-aligned LLMs and multiple defense strategies generate highly similar initial refusal tokens, termed safety trigger tokens, and the proposed D-STT explicitly decodes a safety trigger constrained to a single token (Gu et al., 12 May 2025). Taken together, these works indicate that, in many aligned LLMs, the first token or first few tokens of a refusal trajectory function as a compact control point for downstream safety behavior.
3. Implicit activation controllers and decoding-time probability shaping
GUARD-SLM replaces explicit token insertion with an activation-space gate. For a decoder-only transformer with hidden states 2, it extracts the last-token activation at a selected layer,
3
standardizes it, and feeds it to an RBF-kernel SVM 4. If 5, generation is blocked; otherwise the model decodes normally. The paper shows that optimized jailbreak prompts form distinct activation clusters across layers, that middle and late layers often give near-perfect separability, and that on LLaMA-2-7B-Chat the defended model reaches 6 ASR on all attacks except Jailbroken, where ASR is 7, with inference time 8s and 9 additional tokens (Mia et al., 28 Mar 2026).
At decoding time, a related family of methods treats token probabilities themselves as the defensive control surface. "Alignment-Enhanced Decoding:Defending via Token-Level Adaptive Refining of Probability Distributions" defines a Competitive Index
0
where 1 is the size of the top-2 candidate set and 3 is an upper bound estimated from harmless data. It then computes post-alignment logits 4 by re-running the model on its own generated output and forms
5
with 6 determined by the gap between 7 and 8. The effect is to increase refusal-token probability when competing harmful and harmless continuations are simultaneously present, while preserving high Not Rejection Rate on benign datasets (Liu et al., 2024).
LightDefense uses a simpler token-level bias. It estimates a safety-oriented direction 9 from early-token distributions of safe refusals and unsafe responses, defines a restricted candidate space 0, and shifts early-token logits by 1. The strength 2 is set by an uncertainty score 3, with 4 for 5 and 6 for 7; the paper reports Pearson correlation 8 between uncertainty and harmfulness, ATGR 9, SHB 0 on Vicuna and 1 on Llama2, and near-zero ASR on XSTest and several jailbreak attacks without major BAR degradation (Yang et al., 2 Apr 2025).
A training-time analogue appears in TokenBuncher, where the “token” being defended is the model’s output distribution itself. TokenBuncher minimizes token-level entropy on harmful queries using entropy-as-reward RL,
2
and corrupts low-probability tokens with a Token Noiser so that RL-based harmful fine-tuning cannot exploit reward gradients to reopen harmful modes. Across PPO, GRPO, RLOO, and REINFORCE++, Harmful Scores on Qwen2.5-7B-Instruct drop from roughly 3 on HarmBench/StrongREJECT under GRPO to 4, while GSM8K, MATH, and MMLU-pro remain close to the base model (Feng et al., 28 Aug 2025).
4. Tokenization, anomaly localization, and substitution-based defenses
A second major branch uses token-level anomaly signals rather than inserted control tokens. RTD-Guard is a strict black-box detector for word-substitution adversarial examples. It computes per-token replacement probabilities 5, masks the top-6 suspicious tokens, queries the victim model on 7 and 8, and scores the example by
9
With 0 and threshold 1, the method uses exactly two victim queries, no adversarial training data, and on 11 of 12 dataset–attack combinations attains the highest detection metrics; on AG-News/TextFooler it reports 2 for TPR10/F1/AUC, and total runtime is 3s on 4 examples (Zhu et al., 13 Mar 2026).
Broken-Token focuses on obfuscated jailbreak prompts by exploiting BPE inefficiency. It defines average characters per token
5
and classifies prompts as obfuscated when 6. Across more than 7 prompts and four tokenizers, thresholding CPT yields 8 accuracy and 9 F1 on combined obfuscations, with tokenizer-specific thresholds such as 0 for GPT-4o and 1 for Llama 3.2 (Zychlinski et al., 30 Oct 2025).
TokenBreak inverts the perspective by showing that tokenization itself is an attack surface: a single prepended character can cause BPE or WordPiece classifiers to miss malicious content. The proposed defense places a Unigram tokenizer in front of BPE or WordPiece models and maps Unigram tokens back to the base tokenizer without retraining. This reduces mean TokenBreak success across BPE and WordPiece models from 2 to 3; for WordPiece prompt injection it drops from 4 to 5, and for WordPiece toxicity from 6 to 7 (Schulz et al., 9 Jun 2025).
For training-stage backdoor defense, "Defense Against Syntactic Textual Backdoor Attacks with Token Substitution" preserves potential trigger carriers in 8, replaces semantically meaningful tokens with same-POS tokens associated with a different class, and flags an input as poisoned when the original label persists with high confidence over repeated substitutions. On Hidden Killer syntactic triggers, recall is 9 in all reported settings, and F1 commonly exceeds $0.1$0 across SST-2, AG’s News, and DBpedia14 (Li et al., 2024).
5. Training-time token selection, unlearning, and privacy defense
In safe fine-tuning, DefensiveToken ideas reappear as token-level data curation. TOSS trains a safety-degraded model $0.1$1 and a utility-oriented model $0.1$2, scores each response token by
$0.1$3
globally masks the top $0.1$4 fraction of risky tokens, and fine-tunes on the remaining tokens only. On Llama-3-8B-Instruct, vanilla SFT on the mixed REDORCA data yields ASR $0.1$5 on Anthropic HH and HEx-PHI; TOSS reduces this to $0.1$6, and TOSS-Pro further to $0.1$7, while average win rate over two safety benchmarks and one utility benchmark rises from $0.1$8 for SFT to $0.1$9 for TOSS and 0 for TOSS-Pro (Li et al., 1 Mar 2026).
DuoLearn applies the same token-level perspective to privacy. Using a reference model 1, it scores each token by
2
selects top-3 hard tokens for learning and bottom-4 memorized tokens for unlearning, and optimizes
5
On GPT-2 fine-tuned on Wikipedia, FT gives PPL 6 and reference-based MIA AUC 7; DPSGD gives PPL 8 and AUC 9; DuoLearn gives PPL 00 and AUC 01, with TPR@1\% near zero and substantially better utility than DPSGD (Tran et al., 27 Feb 2025).
Backdoor Token Unlearning localizes suspicious trigger tokens in the embedding layer by measuring
02
taking the top 03 tokens across multiple detection rounds, and then replacing only high-change embedding dimensions with the padding-token dimensions according to a mean-distance threshold 04. On SST-2 under Add-Word, ASR drops from 05 to 06 while ACC changes from 07 to 08; on AG News under Add-Word, ASR drops from 09 to 10 (Jiang et al., 5 Jan 2025). These results extend the DefensiveToken abstraction from jailbreak resistance to poisoning and privacy: the defended object is again a small, identifiable subset of tokens whose dynamics disproportionately encode the threat.
6. Multimodal extensions, evaluation regimes, and unresolved issues
The concept also extends beyond text-only LLMs. In diffusion model unlearning, "The Dual Power of Interpretable Token Embeddings: Jailbreaking Attacks and Defenses for Diffusion Model Unlearning" learns orthogonal attack token embeddings
11
uses them to identify a harmful concept subspace 12, and then projects all vocabulary embeddings to the orthogonal complement,
13
For ESD on nudity, SubDefense reduces ASR from 14 to 15 against SubAttack and from 16 to 17 against CCE, at the cost of some benign quality degradation as more token embeddings are blocked (Chen et al., 30 Apr 2025).
In multimodal prompt injection, GTM identifies critical image tokens rather than text tokens. It computes a Hidden-State Gradient Norm score
18
for each image token 19, masks the top-20 tokens, and then decodes normally. With a 21 masking ratio, GTM drives ASR on VMA to 22 on Qwen2-VL and near zero on Phi-3-Vision and LLaVA-1.5, while inference time rises from 23s to 24s and memory from 25 GiB to 26 GiB on Qwen2-VL-7B (Zhang et al., 24 May 2026). This suggests that the abstraction naturally covers text tokens, image tokens, and CLIP token embeddings.
Across the literature, several recurring limitations remain. Explicit inserted tokens are flexible, but optimization-based white-box attacks such as GCG remain stronger against them than against full training-time defenses (Chen et al., 10 Jul 2025). Activation-space and classifier-space defenses depend on the training distribution and may be vulnerable to representation-level adaptive attacks (Mia et al., 28 Mar 2026). Tokenization-based defenses can over-flag multilingual or benign out-of-distribution text, and CPT-based filtering explicitly weakens when non-Latin scripts are introduced (Zychlinski et al., 30 Oct 2025). Token-level safe fine-tuning improves the safety–utility trade-off, but it still requires reference data, calibrated discard ratios, and additional forward passes during training (Li et al., 1 Mar 2026).
The current evidence therefore supports a narrow but important conclusion. DefensiveToken is best understood as a research program centered on low-dimensional, token-level control points for model security. In explicit form, it is a learned special-token prefix; in implicit form, it is a sentinel token, a last-token activation, a token-level bias direction, or a token subset selected for masking or unlearning. The common claim across these variants is that a small token-level interface can control disproportionately large safety behavior. The common open problem is whether that interface can remain robust under stronger adaptive optimization without surrendering the utility advantages that made the DefensiveToken paradigm attractive in the first place.