Papers
Topics
Authors
Recent
Search
2000 character limit reached

LLMSymGuard: Symbolic Guardrail for LLM Safety

Updated 9 July 2026
  • The paper introduces LLMSymGuard, a novel framework that uses sparse autoencoders and mechanistic interpretability to extract human-interpretable jailbreak concepts without modifying the base model.
  • It employs detailed statistical measures and clustering to differentiate rich latent features, mapping them to specific jailbreak themes and enforcing explicit logical safety rules.
  • Empirical evaluations show that configurable logical predicates, such as Token-Vote-p and Total-Fire-Threshold, enable LLMSymGuard to balance high true positive rates with controlled false positives.

LLMSymGuard is a post-hoc, fully symbolic guardrail framework for LLMs that uses sparse autoencoders (SAEs) and mechanistic interpretability to discover human-interpretable jailbreak-related concepts within internal activations, then enforces logical safety rules over those concepts. It is presented as a capability-preserving alternative to further alignment or model editing: the base model is neither retrained nor modified, and the defense operates as an external logical layer that aims to remain transparent, auditable, and robust against jailbreak-driven targeted misuse and accidental profiling (Aswal et al., 22 Aug 2025).

1. Problem setting and design objectives

LLMSymGuard is motivated by a persistent weakness of safety-aligned LLMs: despite RLHF and safety fine-tuning, they remain vulnerable to jailbreaks that covertly redirect them toward harmful outputs. The paper identifies three concrete manifestations of this gap: targeted misuse, in which adversaries elicit detailed instructions for illegal or dangerous activities; accidental profiling, in which unsafe prompts induce the model to infer or amplify sensitive attributes about users; and over-refusal trade-offs, in which alignment either over-censors benign content or underperforms on nuanced harmful cases, with limited formal guarantees of robustness (Aswal et al., 22 Aug 2025).

The framework is positioned against black-box guard strategies that shape behavior without exposing failure mechanisms. LLMSymGuard instead claims two central benefits. First, it seeks robustness via semantically grounded internal features by using SAEs to isolate meaningful latent variables that reliably correlate with jailbreak themes. Second, it emphasizes transparency and controllability by expressing guardrails as human-readable logical rules over interpretable concepts, enabling auditability, feature-wise threshold calibration, and explicit trade-offs between safety and helpfulness (Aswal et al., 22 Aug 2025).

A central conceptual claim is that LLMs learn human-interpretable concepts from jailbreaks. LLMSymGuard operationalizes this claim by extracting internal features associated with themes such as “Illegal and Dangerous Activities,” “Hate Speech and Discrimination,” and “Privacy and Data Security,” then aggregating them into symbolic rules rather than treating safety as a purely opaque classifier problem. This suggests a shift from output-only moderation toward concept-level control inside the model’s forward pass.

2. Sparse autoencoders and jailbreak concept extraction

The core representational mechanism is an SAE trained on internal activations from the attention layer of transformer block 1 of Llama-3.2-1B-Instruct. Given an activation vector XRMX \in \mathbb{R}^M, the encoder maps it to a sparse latent vector h=E(X)RDh = E(X) \in \mathbb{R}^D, and the decoder reconstructs X^=D(h)\hat{X} = D(h). The objective balances reconstruction and sparsity:

LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.

Concept activation is defined directly on latent units, with ai=hia_i = h_i. For each feature ii, LLMSymGuard computes a Mean Activation Score:

MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,

and declares a feature dead when MASi0.005\text{MAS}_i \leq 0.005. Binary concept indicators are then defined at token or prompt granularity:

ci(t)=1 ⁣[hi ⁣(X(t))>τi],ci=1 ⁣[maxtThi ⁣(X(t))>τi].c_i^{(t)} = \mathbf{1}\!\left[h_i\!\left(X^{(t)}\right) > \tau_i\right],\quad c_i = \mathbf{1}\!\left[\max_{t \in T} h_i\!\left(X^{(t)}\right) > \tau_i\right].

To separate semantically meaningful latents from trivial ones, the framework analyzes each feature’s Top-100 activating tokens using token entropy, lexical diversity, stopword ratio, and average token length:

H=wp(w)logp(w),LD=#unique tokens#tokens,H = -\sum_w p(w)\log p(w),\quad \text{LD} = \frac{\#\text{unique tokens}}{\#\text{tokens}},

h=E(X)RDh = E(X) \in \mathbb{R}^D0

These statistics are reported to form two well-separated clusters under UMAP, corroborated by GPT-4.1 labeling as “Junk” and “Rich” features. Out of 8192 latent units, 473 remain active after dead-feature filtering; among them, 339 are labeled Junk and 134 Rich. The MAS distribution is dominated by dead features, which the paper interprets as consistent with strong sparsity (Aswal et al., 22 Aug 2025).

Rich features are then mapped to jailbreak themes by combining top-activating prompts with dataset labels and GPT-4.1 labeling guided by AdvBench’s taxonomy. The reported category coverage for Rich features, with overlap allowed, is 131 for Illegal and Dangerous Activities, 87 for Hate Speech and Discrimination, 74 for Privacy and Data Security, 70 for Misinformation and Disinformation, 34 for Mental Health and User Safety Risks, and 27 Uncategorized. A notable property is polysemanticity: most Rich features activate across multiple categories rather than corresponding to a single clean semantic factor. This does not eliminate interpretability, but it complicates category-specific rule design and motivates aggregation at the logical level rather than one-feature-one-policy mapping (Aswal et al., 22 Aug 2025).

3. Symbolic guardrails as logical predicates over latent concepts

Once Rich features are identified, LLMSymGuard converts them into symbolic predicates. For a Rich feature h=E(X)RDh = E(X) \in \mathbb{R}^D1 with threshold h=E(X)RDh = E(X) \in \mathbb{R}^D2, the token-level and prompt-level predicates are

h=E(X)RDh = E(X) \in \mathbb{R}^D3

The general guardrail is written in disjunctive normal form:

h=E(X)RDh = E(X) \in \mathbb{R}^D4

Thresholds are calibrated feature-wise using one of three strategies:

h=E(X)RDh = E(X) \in \mathbb{R}^D5

h=E(X)RDh = E(X) \in \mathbb{R}^D6

or

h=E(X)RDh = E(X) \in \mathbb{R}^D7

The framework instantiates several blocking functions. All-AND is maximally permissive:

h=E(X)RDh = E(X) \in \mathbb{R}^D8

Simple-OR is maximally strict:

h=E(X)RDh = E(X) \in \mathbb{R}^D9

At-least-X^=D(h)\hat{X} = D(h)0, Token-Vote-X^=D(h)\hat{X} = D(h)1, and Total-Fire-Threshold count co-activation density:

X^=D(h)\hat{X} = D(h)2

X^=D(h)\hat{X} = D(h)3

X^=D(h)\hat{X} = D(h)4

The runtime path is direct. The system hooks the selected layer during the forward pass, computes X^=D(h)\hat{X} = D(h)5, evaluates the predicates, applies the chosen logical rule, and outputs either BLOCK or ALLOW. If blocked, the system can return a fixed refusal sequence X^=D(h)\hat{X} = D(h)6 or apply a steering function X^=D(h)\hat{X} = D(h)7 at the logit level to bias outputs toward safe or refusal tokens. The paper states that logit-level steering is intended to reduce over-refusal artifacts relative to a fixed refusal-only strategy (Aswal et al., 22 Aug 2025).

4. System pipeline and implementation details

The pipeline begins with hook-point selection. LLMSymGuard uses the attention layer of block 1, motivated by the claim that early-layer features often capture simpler, interpretable patterns. The SAE is then trained with SAELens on 1,500 harmful red-teaming prompts: 500 each from Do-Not-Answer, AART, and AdvBench. These prompts are transformed into disguised indirect questions via GPT-4.1 to reduce trivial template artifacts (Aswal et al., 22 Aug 2025).

The released configuration specifies context size 128, hook position Attention Layer with hook layer 0, encoder dimension 2048, latent dimension 8192 with expansion factor 4, jumprelu architecture, batch size 4096, total train steps 300, total train tokens 1,228,800, X^=D(h)\hat{X} = D(h)8 coefficient X^=D(h)\hat{X} = D(h)9, LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.0 norm 1.0, and Batch Norm for loss normalization. The objective is reconstruction MSE plus LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.1 sparsity. Concept extraction then proceeds by computing LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.2, using absolute activations for strength, storing Top-100 token positions per feature, and mapping Top-10 activations back to prompts.

After feature filtering and clustering, thematic categorization follows a two-stage labeling process. Prompt-to-Label uses dataset labels for Do-Not-Answer and AART or GPT-4.1 labeling guided by AdvBench’s taxonomy. Label-to-Category then aggregates labels into higher-level classes such as Illegal and Dangerous Activities, Hate Speech and Discrimination, Privacy and Data Security, Misinformation and Disinformation, Mental Health and User Safety Risks, Sexual and Adult Content, Animal Abuse and Exploitation, and Graphic or Disturbing Content (Aswal et al., 22 Aug 2025).

Guardrail calibration is performed by choosing a threshold strategy, selecting one or more blocking functions, and tuning LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.3, LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.4, or LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.5 by grid search against either LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.6 or LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.7. The paper reports that Mean-plus-LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.8Std with LSAE=XD(E(X))22+λh1+Ω.\mathcal{L}_{\text{SAE}} = \|X - D(E(X))\|_2^2 + \lambda \|h\|_1 + \Omega.9 worked best for most rules. Evaluation uses 250 Beavertails unsafe prompts and 250 GPT-4.1-generated safe queries, with GPT-4.1 serving as an LLM-as-a-judge to filter unsuccessful jailbreaks. Baselines are the internal guardrails of Llama-3.2-1B-Instruct and Llama-Guard-3-1B (Aswal et al., 22 Aug 2025).

5. Empirical behavior, decision metrics, and trade-offs

The paper evaluates LLMSymGuard with recall/TPR, FPR, precision, and ai=hia_i = h_i0:

ai=hia_i = h_i1

ai=hia_i = h_i2

The empirical pattern is not that any symbolic rule dominates uniformly, but that rule structure strongly determines the safety–helpfulness trade-off. Simple-OR produces very high TPR but also very high FPR. All-AND eliminates over-blocking but essentially misses attacks. The strongest reported operating points come from co-activation rules, especially Token-Vote-ai=hia_i = h_i3 and Total-Fire-Threshold, which exploit the density of simultaneous concept firing rather than a single latent trigger (Aswal et al., 22 Aug 2025).

System or rule Key result Interpretation
Llama-3.2-1B-Instruct internal guardrails TPR 0.216, FPR 0.016, F1 0.351 High precision, low recall
Llama-Guard-3-1B TPR 0.392, FPR 0.000, F1 0.563 Conservative baseline
All-AND (Quantile p95) TPR 0.000, FPR 0.000 Too permissive
Simple-OR (ai=hia_i = h_i4) TPR 0.928, FPR 0.912, F1 0.654 Too strict
At-least-ai=hia_i = h_i5 (ai=hia_i = h_i6, ai=hia_i = h_i7) TPR 0.828, FPR 0.412, F1 0.739 Intermediate trade-off
Token-Vote-ai=hia_i = h_i8 (ai=hia_i = h_i9, ii0) TPR 0.788, FPR 0.216, F1 0.786 Best ii1
Total-Fire-Threshold (ii2, ii3) TPR 0.700, FPR 0.236, F1 0.723 Second-best ii4

The best reported configuration by ii5 is Token-Vote-ii6 with ii7 and Mean-plus-ii8Std thresholding at ii9, yielding TPR MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,0, FPR MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,1, Precision MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,2, MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,3, and MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,4. The second-best is Total-Fire-Threshold with MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,5 and MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,6, with TPR MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,7, FPR MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,8, Precision MASi=1DTXDtThi(X(t)),\text{MAS}_i = \frac{1}{|\mathcal{D}|\,|T|}\sum_{X \in \mathcal{D}} \sum_{t \in T} \left|h_i(X^{(t)})\right|,9, MASi0.005\text{MAS}_i \leq 0.0050, and MASi0.005\text{MAS}_i \leq 0.0051 (Aswal et al., 22 Aug 2025).

The capability-preservation argument is correspondingly narrow but explicit. LLMSymGuard avoids fine-tuning or model edits and uses selective blocking, with FPR-based overblocking analysis as the primary indicator of controlled impact on benign tasks. The paper does not report comprehensive helpfulness or accuracy studies, so it does not claim a full capability-retention proof. It does, however, report that disguised indirect questions are detected, which is taken as evidence of robustness to simple surface reformulations (Aswal et al., 22 Aug 2025).

6. Limitations, governance, and position within the guardrail landscape

Several limitations are stated directly. The analysis is confined to a single hook point, namely the first block’s attention layer; deeper layers and cross-layer interactions are unexplored. The hard MAS cutoff may remove useful low-activation features. The method may depend on prior safety alignment, since meaningful jailbreak concepts could be easier to extract from safety-tuned models than from unaligned foundations. Polysemantic Rich features complicate category-specific logic and can induce over-blocking without careful rule design. Cross-model transfer, multilingual obfuscation, steganographic attacks, and other adaptive jailbreak styles are not evaluated and remain open problems (Aswal et al., 22 Aug 2025).

The governance rationale of LLMSymGuard is closely tied to its symbolic form. The paper emphasizes auditability, because explicit rules and thresholds can be inspected, versioned, and reviewed for compliance; controllability, because designers can tune thresholds and compose category-specific clauses; and safeguards against profiling, because rule construction can be restricted to jailbreak concepts rather than user attributes. At the same time, the paper notes that dataset diversity and label taxonomy can affect fairness, and that biased filtering or over-censorship remains a risk. Dual-use is also explicit: attackers might reverse-engineer concept predicates, with randomized thresholds, multi-layer monitoring, and defense-in-depth suggested as mitigations (Aswal et al., 22 Aug 2025).

Within the broader literature, LLMSymGuard occupies a distinctive niche: it is neither a pure output judge nor a prompt-rewriting defense, but an internal symbolic controller. PromptKeeper addresses system-prompt confidentiality through hypothesis testing over mean log-likelihood and on-demand regeneration without the hidden prompt, emphasizing indistinguishability and resistance to denial-of-service side channels (Jiang et al., 2024). LeakSealer instead combines static forensic clustering of historical interactions with a dynamic HITL classifier, achieving a dynamic PII-leakage AUPRC of MASi0.005\text{MAS}_i \leq 0.0052 on its curated dataset (Panebianco et al., 1 Aug 2025). AegisLLM frames defense as an inference-time multi-agent workflow with orchestrator, responder, evaluator, and deflector agents, reporting a MASi0.005\text{MAS}_i \leq 0.0053 StrongREJECT reduction versus base and a PHTest full refusal rate of MASi0.005\text{MAS}_i \leq 0.0054 (Cai et al., 29 Apr 2025). SecurityLingua uses security-aware prompt compression to surface the “true intention” of a prompt to the target model while keeping the user prompt unchanged, reporting average jailbreak success of MASi0.005\text{MAS}_i \leq 0.0055 with about MASi0.005\text{MAS}_i \leq 0.0056 ms compressor latency and about MASi0.005\text{MAS}_i \leq 0.0057 extra system-prompt tokens (Li et al., 15 Jun 2025). SelfGrader converts jailbreak detection into numeric token-logit grading and reports up to a MASi0.005\text{MAS}_i \leq 0.0058 attack-success reduction on LLaMA-3-8B, with lower memory and latency overhead than prior baselines (Zhang et al., 1 Apr 2026). UniGuardian treats prompt injection, backdoor attacks, and adversarial attacks as “Prompt Trigger Attacks,” using masked-prompt uncertainty scores and a single-forward detection strategy (Lin et al., 18 Feb 2025).

Relative to those approaches, LLMSymGuard’s specific contribution is to show that sparsity-induced latent features associated with jailbreak themes can be converted into explicit logical predicates. A plausible implication is that it provides a bridge between mechanistic interpretability and deployable safety engineering: not by guaranteeing universal robustness, but by making the safety policy legible at the level of internal concepts rather than only at the surface text or classifier score.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to LLMSymGuard.