← Back to Library

Speculative Safety-Aware Decoding

Authors: Xuekang Wang, Shengyu Zhu, Xueqi Cheng

Published: 2025-08-25

arXiv ID: 2508.17739v1

Added to Library: 2025-08-26 04:00 UTC

Red Teaming

📄 Abstract

Despite extensive efforts to align Large Language Models (LLMs) with human values and safety rules, jailbreak attacks that exploit certain vulnerabilities continuously emerge, highlighting the need to strengthen existing LLMs with additional safety properties to defend against these attacks. However, tuning large models has become increasingly resource-intensive and may have difficulty ensuring consistent performance. We introduce Speculative Safety-Aware Decoding (SSD), a lightweight decoding-time approach that equips LLMs with the desired safety property while accelerating inference. We assume that there exists a small language model that possesses this desired property. SSD integrates speculative sampling during decoding and leverages the match ratio between the small and composite models to quantify jailbreak risks. This enables SSD to dynamically switch between decoding schemes to prioritize utility or safety, to handle the challenge of different model capacities. The output token is then sampled from a new distribution that combines the distributions of the original and the small models. Experimental results show that SSD successfully equips the large model with the desired safety property, and also allows the model to remain helpful to benign queries. Furthermore, SSD accelerates the inference time, thanks to the speculative sampling design.

🔍 Key Points

  • Introduction of Speculative Safety-Aware Decoding (SSD) that integrates speculative sampling during decoding to improve safety properties of Large Language Models (LLMs) without costly parameter tuning.
  • Development of a dynamic decoding framework that utilizes match ratios between a larger model and a smaller expert model to balance utility and safety based on the nature of the input queries.
  • Experimental results demonstrate that SSD effectively equips LLMs with deeper safety alignment properties while maintaining utility and improving inference efficiency compared to existing methods like SafeDecoding and direct fine-tuning.
  • The method is validated across multiple jailbreak attack types, showing robustness and reduced attack success rates, thus enhancing the overall safety of deployed LLMs.
  • SSD addresses the challenge of over-refusal behavior in LLMs by effectively distinguishing between harmful queries and benign but sensitive topics.

💡 Why This Paper Matters

This research is significant as it presents a novel approach to enhancing the safety of LLMs through a lightweight, efficient method that avoids the computational burden of extensive parameter tuning. By effectively integrating safety properties into existing models, this work paves the way for more robust and secure AI systems, critical in an era of increasingly sophisticated attacks against AI technologies.

🎯 Why It's Interesting for AI Security Researchers

This paper will pique the interest of AI security researchers as it provides a comprehensive solution to the pressing issue of jailbreak attacks on LLMs. The introduction of SSD presents a new methodology to dynamically balance safety and utility, which is vital for ensuring responsible AI deployment. Furthermore, its empirical validation against various attack vectors reveals practical insights and methodologies that can be leveraged to fortify AI systems against malicious exploitation.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF