Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs Letian Sha, Peijie Sun, Hao Xue, Shijie Hao, Fu Xiao This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8886237/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted You are reading this latest preprint version Abstract Extensive research on jailbreak attacks demonstrates that despite advancements in safety alignment, Large Language Models (LLMs) remain highly vulnerable to diverse adversarial exploitations, highlighting systemic deficiencies in their internal safety mechanisms. Current research predominantly assumes these mechanisms are universal; however, this perspective neglects the fundamental differences in vulnerability profiles exhibited by distinct model families. To systematically investigate this gap, we propose the ``Family-Specific Vulnerabilities in Safety Attention Networks'' framework, positing that internal safety mechanisms—especially the Critical Safety Attention Heads (CSAHs)—exhibit architecture-dependent distributions and robustness. We validate this through comprehensive empirical analyses on six distinct models spanning three representative LLM families (DeepSeek, LLaMA, and StableLM), examining two variants within each family. Using linear probes and quantitative attention pattern metrics to identify CSAHs, we systematically evaluate their vulnerabilities via three complementary ablations: zero-out (simulating signal loss), mean-value (simulating signal replacement), and undifferentiated attention (simulating signal pollution). Our results reveal distinct failure modes: DeepSeek exhibits extreme sensitivity to signal loss (up to 56% ASR increase without collapse), LLaMA is primarily compromised by signal pollution, while StableLM shows universal sensitivity to multiple intervention types. These findings challenge the universality assumption, demonstrate that previously reported threshold effects are not universal, and provide an empirical basis for architecture-aware safety strategies. Physical sciences/Engineering Physical sciences/Mathematics and computing Large Language Models LLM Safety Mechanistic Interpretability Attention Heads Family-Specific Vulnerabilities Multi-Method Ablation Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8886237","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":605794654,"identity":"c23cbb03-d6ba-44b7-b541-28751018d96a","order_by":0,"name":"Letian Sha","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Letian","middleName":"","lastName":"Sha","suffix":""},{"id":605794655,"identity":"4455fa5d-2032-4971-a3b4-be46a338ead7","order_by":1,"name":"Peijie Sun","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Peijie","middleName":"","lastName":"Sun","suffix":""},{"id":605794656,"identity":"35212d83-f14c-4bb9-a9ce-bb2348b0020c","order_by":2,"name":"Hao Xue","email":"","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":false,"prefix":"","firstName":"Hao","middleName":"","lastName":"Xue","suffix":""},{"id":605794657,"identity":"bc5e1262-3e24-4f45-8cf0-eea8f04ba5a8","order_by":3,"name":"Shijie Hao","email":"","orcid":"","institution":"Hefei University of Technology","correspondingAuthor":false,"prefix":"","firstName":"Shijie","middleName":"","lastName":"Hao","suffix":""},{"id":605794658,"identity":"1dcb7a2e-d365-4a11-8aec-120c37fad7f4","order_by":4,"name":"Fu Xiao","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAz0lEQVRIiWNgGAWjYNCDD8QrTYBQjDNI1sLMQ4xi/hnp1yR//jhszyCRY/jYpsyagb+9OwGvFokbOWXSPAmHExt4zhgb55xLZ5A4c3YDfmtu5KRJMyQcTmBg7zGTzm07zGAgkYtfizxQi+SPBKDDmHnMf1sSo8XgRvoxCaDDGBuAtjAzEqPF8MwbZmuetPTENp5jxZI959J5CPpF7nj6w5s/bKzt+SWSN374UWYtx9/eS8D7DDwGYIoNQhIVNewPkDhszEToGAWjYBSMgpEGAOEkQOIwU31kAAAAAElFTkSuQmCC","orcid":"","institution":"Nanjing University of Posts and Telecommunications","correspondingAuthor":true,"prefix":"","firstName":"Fu","middleName":"","lastName":"Xiao","suffix":""}],"badges":[],"createdAt":"2026-02-15 13:23:20","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8886237/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8886237/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":104783059,"identity":"386e26d5-5628-4f76-bea0-415fbe6be156","added_by":"auto","created_at":"2026-03-17 07:58:09","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":3175105,"visible":true,"origin":"","legend":"","description":"","filename":"submission.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8886237/v1_covered_9ce9052a-fbc9-4ee9-b5f5-cff58116d1ad.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"nature-portfolio","isNatureJournal":true,"hasQc":false,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"","title":"Nature Portfolio","twitterHandle":"","acdcEnabled":false,"dfaEnabled":false,"editorialSystem":"ejp","reportingPortfolio":"","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Large Language Models, LLM Safety, Mechanistic Interpretability, Attention Heads, Family-Specific Vulnerabilities, Multi-Method Ablation","lastPublishedDoi":"10.21203/rs.3.rs-8886237/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8886237/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eExtensive research on jailbreak attacks demonstrates that despite advancements in safety alignment, Large Language Models (LLMs) remain highly vulnerable to diverse adversarial exploitations, highlighting systemic deficiencies in their internal safety mechanisms. Current research predominantly assumes these mechanisms are universal; however, this perspective neglects the fundamental differences in vulnerability profiles exhibited by distinct model families. To systematically investigate this gap, we propose the ``Family-Specific Vulnerabilities in Safety Attention Networks'' framework, positing that internal safety mechanisms\u0026mdash;especially the Critical Safety Attention Heads (CSAHs)\u0026mdash;exhibit architecture-dependent distributions and robustness. We validate this through comprehensive empirical analyses on six distinct models spanning three representative LLM families (DeepSeek, LLaMA, and StableLM), examining two variants within each family. Using linear probes and quantitative attention pattern metrics to identify CSAHs, we systematically evaluate their vulnerabilities via three complementary ablations: zero-out (simulating signal loss), mean-value (simulating signal replacement), and undifferentiated attention (simulating signal pollution). Our results reveal distinct failure modes: DeepSeek exhibits extreme sensitivity to signal loss (up to 56% ASR increase without collapse), LLaMA is primarily compromised by signal pollution, while StableLM shows universal sensitivity to multiple intervention types. These findings challenge the universality assumption, demonstrate that previously reported threshold effects are not universal, and provide an empirical basis for architecture-aware safety strategies.\u003c/p\u003e","manuscriptTitle":"Critical Safety Attention Heads: Architecture-Dependent Vulnerabilities in LLMs","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-03-16 22:49:29","doi":"10.21203/rs.3.rs-8886237/v1","editorialEvents":[],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"communications-ai-and-computing","isNatureJournal":true,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Communications AI \u0026 Computing](https://www.nature.com/commsaicomp/)","snPcode":"44488","submissionUrl":"https://submission.nature.com/new-submission/44488/3","title":"Communications AI \u0026 Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Nature Communications","inReviewEnabled":true,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"03177c6c-8dd1-4f53-bff6-e10120bcaa41","owner":[],"postedDate":"March 16th, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[{"id":64475831,"name":"Physical sciences/Engineering"},{"id":64475832,"name":"Physical sciences/Mathematics and computing"}],"tags":[],"updatedAt":"2026-03-16T22:49:29+00:00","versionOfRecord":[],"versionCreatedAt":"2026-03-16 22:49:29","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8886237","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8886237","identity":"rs-8886237","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.