STEER - Mech interp-based white box attack on LLMs

Joshua Adrian Cahyono

STEER (Safety Targeted Embedding Exploit via Refinement) is a white-box jailbreak that turns a mechanistic-interpretability finding into an attack: since safety fine-tuning encodes refusal as a single linear direction in the residual stream, STEER reads that direction, uses gradient attribution to pinpoint the words in a harmful prompt that most activate it, and iteratively translates those words into low-resource and regional languages (Javanese, Sundanese, Swahili, Yoruba, Thai, Tagalog, and others) until the refusal signal collapses while the harmful intent survives.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The story for how this is important is good and adds to the already existing literature on code-switching attacks, and presentations is excellent. The main thing to fix is the comparison: since the method bundles a rewriting step with the language-swapping, it's hard to tell how much of the success comes from the clever targeting versus the rewriting, so a side-by-side test that separates the two would make the central claim much more convincing.

This work makes the dual use aspect of mech interp very concrete and audit signals like FLD provide model authors a way to make their default checkpoints more safe.

In practice anyone who is dedicated and has white box access can just ablate refusal directions, patch activations etc and jailbreak models so the path to impact seems to depend on mech interp researchers being told that safety circuits are dual use, and that seems to be well understood especially with work such as Yeo et al. showing SAE features that mediate refusal.

The novel piece here is the cross lingual angle and Wang et al. indicates that the refusual direction is cross lingually aligned and this work shows that across several models, code switched prompts can cause weaker activation in that direction.

I would be excited to see the authors extend this work and test it on Llama Guard and other open source deployments that are realistic because classifier-based safeguards, input-output guard models can reduce misuse even if the model's internal geometry remains brittle. Real world safety would be where the impact lies.

- The core motivation is genuinely interesting: turning an interpretability finding (the refusal direction) into a targeting signal for an attack is a clean demonstration that mech interp results are dual-use, and the FLD method is a neat contribution in its own right: the sharpness of the Fisher peak doubles as a structural vulnerability metric, a pre-deployment read on how brittle a model's safety encoding is. The six-model breadth and >3,000 attempts make the evaluation solid. Most promising of all is the transfer to GPT-4o-mini with no closed-model access (35.5%); that is an impressive result that suggests the shared-geometry hypothesis has real legs, and it is the thread most worth pursuing further. The author is also clearly alert to the dual-use risk and handles the ethics framing responsibly.

- Isolate how much the refusal direction actually contributes. The thesis is that attribution against the refusal direction is what makes STEER work, but two confounds are not separated. The paraphrase step is a GPT-4o rewrite that softens keywords before any gradient work, and the paper notes removing it costs substantial ASR, so part of STEER's edge over CSRT may be the paraphrase rather than the attribution. CSRT should be run with the same paraphrase to isolate the mech-interp contribution. Relatedly, since CSRT "catches up given enough budget," the attribution mainly helps at low iteration counts, so the @1 efficiency numbers (only reported for two models) are the honest place to make the claim and should be reported across all six.

- Implement and test at least one of the proposed defences. The paper is, in effect, a working attack, and the discussion already sketches sensible mitigations (distribute refusal across layers, train the direction on multilingual and code-switched inputs, audit FLD sharpness). Given the dual-use framing, showing even one of these measurably reduces STEER's ASR would turn the paper from "here is a vulnerability" into "here is a vulnerability and a first defence," which is both safer to release and a stronger contribution.

- The "decision variable" claim needs the causal test. Section 4.4 shows refused and non-refused responses separate around zero on the refusal-score axis and concludes the dot product with r is "the actual decision variable the model uses, not just a proxy." But the score is built from the harmful/benign difference, so separation is expected and only correlational.

Cite this work

@misc {

title={

(HckPrj) STEER - Mech interp-based white box attack on LLMs

},

author={

Joshua Adrian Cahyono

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.