![[2602.19396] Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.19396] Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement
Summary
This paper presents a novel framework for detecting concealed jailbreaks in large language models (LLMs) by disentangling semantic factors in model activations, enhancing anomaly detection and interpretability.
Why It Matters
As LLMs become increasingly integrated into various applications, their vulnerability to sophisticated jailbreak prompts poses significant risks. This research addresses these vulnerabilities by introducing a self-supervised method that improves detection and enhances the safety and interpretability of LLMs, making it crucial for developers and researchers in AI safety.
Key Takeaways
- Introduces a self-supervised framework for detecting concealed jailbreaks in LLMs.
- Develops GoalFrameBench, a dataset for training models on goal and framing variations.
- Presents FrameShield, an anomaly detection tool that operates on disentangled representations.
- Demonstrates the effectiveness of semantic disentanglement for improving model safety.
- Highlights the interpretability benefits of disentanglement in LLM activations.
Computer Science > Artificial Intelligence arXiv:2602.19396 (cs) [Submitted on 23 Feb 2026] Title:Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement Authors:Amirhossein Farzam, Majid Behabahani, Mani Malek, Yuriy Nevmyvaka, Guillermo Sapiro View a PDF of the paper titled Hiding in Plain Text: Detecting Concealed Jailbreaks via Activation Disentanglement, by Amirhossein Farzam and 4 other authors View PDF HTML (experimental) Abstract:Large language models (LLMs) remain vulnerable to jailbreak prompts that are fluent and semantically coherent, and therefore difficult to detect with standard heuristics. A particularly challenging failure mode occurs when an attacker tries to hide the malicious goal of their request by manipulating its framing to induce compliance. Because these attacks maintain malicious intent through a flexible presentation, defenses that rely on structural artifacts or goal-specific signatures can fail. Motivated by this, we introduce a self-supervised framework for disentangling semantic factor pairs in LLM activations at inference. We instantiate the framework for goal and framing and construct GoalFrameBench, a corpus of prompts with controlled goal and framing variations, which we use to train Representation Disentanglement on Activations (ReDAct) module to extract disentangled representations in a frozen LLM. We then propose FrameShield, an anomaly detector operating on the framing representations, which improves model...