← Back to Library

Activation Transport Operators

Authors: Andrzej Szablewski, Marek Masiak

Published: 2025-08-24

arXiv ID: 2508.17540v1

Added to Library: 2025-08-26 04:00 UTC

📄 Abstract

The residual stream mediates communication between transformer decoder layers via linear reads and writes of non-linear computations. While sparse-dictionary learning-based methods locate features in the residual stream, and activation patching methods discover circuits within the model, the mechanism by which features flow through the residual stream remains understudied. Understanding this dynamic can better inform jailbreaking protections, enable early detection of model mistakes, and their correction. In this work, we propose Activation Transport Operators (ATO), linear maps from upstream to downstream residuals $k$ layers later, evaluated in feature space using downstream SAE decoder projections. We empirically demonstrate that these operators can determine whether a feature has been linearly transported from a previous layer or synthesised from non-linear layer computation. We develop the notion of transport efficiency, for which we provide an upper bound, and use it to estimate the size of the residual stream subspace that corresponds to linear transport. We empirically demonstrate the linear transport, report transport efficiency and the size of the residual stream's subspace involved in linear transport. This compute-light (no finetuning, <50 GPU-h) method offers practical tools for safety, debugging, and a clearer picture of where computation in LLMs behaves linearly.

🔍 Key Points

  • Introduction of Speculative Safety-Aware Decoding (SSD) that integrates speculative sampling during decoding to improve safety properties of Large Language Models (LLMs) without costly parameter tuning.
  • Development of a dynamic decoding framework that utilizes match ratios between a larger model and a smaller expert model to balance utility and safety based on the nature of the input queries.
  • Experimental results demonstrate that SSD effectively equips LLMs with deeper safety alignment properties while maintaining utility and improving inference efficiency compared to existing methods like SafeDecoding and direct fine-tuning.
  • The method is validated across multiple jailbreak attack types, showing robustness and reduced attack success rates, thus enhancing the overall safety of deployed LLMs.
  • SSD addresses the challenge of over-refusal behavior in LLMs by effectively distinguishing between harmful queries and benign but sensitive topics.

💡 Why This Paper Matters

This research is significant as it presents a novel approach to enhancing the safety of LLMs through a lightweight, efficient method that avoids the computational burden of extensive parameter tuning. By effectively integrating safety properties into existing models, this work paves the way for more robust and secure AI systems, critical in an era of increasingly sophisticated attacks against AI technologies.

🎯 Why It's Interesting for AI Security Researchers

This paper will pique the interest of AI security researchers as it provides a comprehensive solution to the pressing issue of jailbreak attacks on LLMs. The introduction of SSD presents a new methodology to dynamically balance safety and utility, which is vital for ensuring responsible AI deployment. Furthermore, its empirical validation against various attack vectors reveals practical insights and methodologies that can be leveraged to fortify AI systems against malicious exploitation.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF