Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs

preprint OA: closed CC-BY-4.0
AI-generated deep summary by claude@2026-07, 2026-07-06 · read from full text

The paper studies jailbreak-related safety vulnerabilities in large language models by examining whether internal safety mechanisms are universal across model families, focusing on critical safety attention heads (CSAHs). Using linear probes and quantitative attention-pattern metrics, the authors analyze six models from three families (DeepSeek, LLaMA, StableLM) and apply three ablations—zero-out, mean-value replacement, and undifferentiated attention pollution—to test different vulnerability mechanisms. They find architecture-dependent failure modes: DeepSeek is highly sensitive to signal loss, LLaMA is mainly affected by signal pollution, and StableLM shows sensitivity across multiple intervention types; they also note that previously reported threshold effects are not universal. A major caveat is that this is a preprint (not peer-reviewed) and the conclusions are based on analyses across the specific selected families/models and intervention types studied. The paper does not explicitly discuss endometriosis or adenomyosis; it was included in the corpus via a keyword match in the upstream search index.

Read from the paper's body, not the abstract. Not a substitute for reading the paper. No clinical advice. How this works

Full text 12,075 characters · extracted from preprint-html · click to expand
Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs Letian Sha, Peijie Sun, Hao Xue, Shijie Hao, Fu Xiao This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8886237/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted You are reading this latest preprint version Abstract Extensive research on jailbreak attacks demonstrates that despite advancements in safety alignment, Large Language Models (LLMs) remain highly vulnerable to diverse adversarial exploitations, highlighting systemic deficiencies in their internal safety mechanisms. Current research predominantly assumes these mechanisms are universal; however, this perspective neglects the fundamental differences in vulnerability profiles exhibited by distinct model families. To systematically investigate this gap, we propose the ``Family-Specific Vulnerabilities in Safety Attention Networks'' framework, positing that internal safety mechanisms—especially the Critical Safety Attention Heads (CSAHs)—exhibit architecture-dependent distributions and robustness. We validate this through comprehensive empirical analyses on six distinct models spanning three representative LLM families (DeepSeek, LLaMA, and StableLM), examining two variants within each family. Using linear probes and quantitative attention pattern metrics to identify CSAHs, we systematically evaluate their vulnerabilities via three complementary ablations: zero-out (simulating signal loss), mean-value (simulating signal replacement), and undifferentiated attention (simulating signal pollution). Our results reveal distinct failure modes: DeepSeek exhibits extreme sensitivity to signal loss (up to 56% ASR increase without collapse), LLaMA is primarily compromised by signal pollution, while StableLM shows universal sensitivity to multiple intervention types. These findings challenge the universality assumption, demonstrate that previously reported threshold effects are not universal, and provide an empirical basis for architecture-aware safety strategies. Physical sciences/Engineering Physical sciences/Mathematics and computing Large Language Models LLM Safety Mechanistic Interpretability Attention Heads Family-Specific Vulnerabilities Multi-Method Ablation Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8886237","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":605794654,"identity":"c23cbb03-d6ba-44b7-b541-28751018d96a","order_by":0,"name":"Letian Sha","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Letian","middleName":"","lastName":"Sha","suffix":""},{"id":605794655,"identity":"4455fa5d-2032-4971-a3b4-be46a338ead7","order_by":1,"name":"Peijie Sun","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Peijie","middleName":"","lastName":"Sun","suffix":""},{"id":605794656,"identity":"35212d83-f14c-4bb9-a9ce-bb2348b0020c","order_by":2,"name":"Hao Xue","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Hao","middleName":"","lastName":"Xue","suffix":""},{"id":605794657,"identity":"bc5e1262-3e24-4f45-8cf0-eea8f04ba5a8","order_by":3,"name":"Shijie Hao","email":"","orcid":"","institution":"Hefei University of Technology","correspondingAuthor":false,"prefix":"","firstName":"Shijie","middleName":"","lastName":"Hao","suffix":""},{"id":605794658,"identity":"1dcb7a2e-d365-4a11-8aec-120c37fad7f4","order_by":4,"name":"Fu Xiao","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAz0lEQVRIiWNgGAWjYNCDD8QrTYBQjDNI1sLMQ4xi/hnp1yR//jhszyCRY/jYpsyagb+9OwGvFokbOWXSPAmHExt4zhgb55xLZ5A4c3YDfmtu5KRJMyQcTmBg7zGTzm07zGAgkYtfizxQi+SPBKDDmHnMf1sSo8XgRvoxCaDDGBuAtjAzEqPF8MwbZmuetPTENp5jxZI959J5CPpF7nj6w5s/bKzt+SWSN374UWYtx9/eS8D7DDwGYIoNQhIVNewPkDhszEToGAWjYBSMgpEGAOEkQOIwU31kAAAAAElFTkSuQmCC","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":true,"prefix":"","firstName":"Fu","middleName":"","lastName":"Xiao","suffix":""}],"badges":[],"createdAt":"2026-02-15 13:23:20","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8886237/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8886237/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":104783059,"identity":"386e26d5-5628-4f76-bea0-415fbe6be156","added_by":"auto","created_at":"2026-03-17 07:58:09","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":3175105,"visible":true,"origin":"","legend":"","description":"","filename":"submission.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8886237/v1_covered_9ce9052a-fbc9-4ee9-b5f5-cff58116d1ad.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"nature-portfolio","isNatureJournal":true,"hasQc":false,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"","title":"Nature Portfolio","twitterHandle":"","acdcEnabled":false,"dfaEnabled":false,"editorialSystem":"ejp","reportingPortfolio":"","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Large Language Models, LLM Safety, Mechanistic Interpretability, Attention Heads, Family-Specific Vulnerabilities, Multi-Method Ablation","lastPublishedDoi":"10.21203/rs.3.rs-8886237/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8886237/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eExtensive research on jailbreak attacks demonstrates that despite advancements in safety alignment, Large Language Models (LLMs) remain highly vulnerable to diverse adversarial exploitations, highlighting systemic deficiencies in their internal safety mechanisms. Current research predominantly assumes these mechanisms are universal; however, this perspective neglects the fundamental differences in vulnerability profiles exhibited by distinct model families. To systematically investigate this gap, we propose the ``Family-Specific Vulnerabilities in Safety Attention Networks'' framework, positing that internal safety mechanisms\u0026mdash;especially the Critical Safety Attention Heads (CSAHs)\u0026mdash;exhibit architecture-dependent distributions and robustness. We validate this through comprehensive empirical analyses on six distinct models spanning three representative LLM families (DeepSeek, LLaMA, and StableLM), examining two variants within each family. Using linear probes and quantitative attention pattern metrics to identify CSAHs, we systematically evaluate their vulnerabilities via three complementary ablations: zero-out (simulating signal loss), mean-value (simulating signal replacement), and undifferentiated attention (simulating signal pollution). Our results reveal distinct failure modes: DeepSeek exhibits extreme sensitivity to signal loss (up to 56% ASR increase without collapse), LLaMA is primarily compromised by signal pollution, while StableLM shows universal sensitivity to multiple intervention types. These findings challenge the universality assumption, demonstrate that previously reported threshold effects are not universal, and provide an empirical basis for architecture-aware safety strategies.\u003c/p\u003e","manuscriptTitle":"Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-03-16 22:49:29","doi":"10.21203/rs.3.rs-8886237/v1","editorialEvents":[],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"communications-ai-and-computing","isNatureJournal":true,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Communications AI \u0026 Computing](https://www.nature.com/commsaicomp/)","snPcode":"44488","submissionUrl":"https://submission.nature.com/new-submission/44488/3","title":"Communications AI \u0026 Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Nature Communications","inReviewEnabled":true,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"03177c6c-8dd1-4f53-bff6-e10120bcaa41","owner":[],"postedDate":"March 16th, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[{"id":64475831,"name":"Physical sciences/Engineering"},{"id":64475832,"name":"Physical sciences/Mathematics and computing"}],"tags":[],"updatedAt":"2026-03-16T22:49:29+00:00","versionOfRecord":[],"versionCreatedAt":"2026-03-16 22:49:29","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8886237","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8886237","identity":"rs-8886237","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00
unpaywall
last seen: 2026-05-24T02:00:01.246996+00:00
License: CC-BY-4.0