Principled Steering via Null-space Projection for Jailbreak Defense in Vision-Language Models

The null-space projection formulation is mathematically sound and well-motivated. The equivalence between $Null(\mathbf{H}_b)$ and $Null(\mathbf{H}_b\mathbf{H}_b^\top)$ (Eq. 7) enables efficient computation of the projection matrix via SVD on the $d \times d$ covariance matrix rather than the full $d \times N_b$ activation matrix. The closed-form solution for the steering transformation (Eq. 15) is derived correctly using Moore-Penrose pseudoinverse, and the three-component loss function (smoothness, refusal alignment, harmful suppression) is systematically validated through ablation. The method maintains near-zero inference overhead (~8.43 ms/token average vs 9.88 for ASTRA) while improving safety metrics.

The primary limitation is narrow attack scope: the main experiments focus almost exclusively on PGD-based $\ell_\infty$ perturbations (with $\epsilon \in \{16/255, 32/255, 64/255\}$), while contemporary VLMs face diverse jailbreak strategies including typographic attacks, image caption manipulation, and multi-turn conversational exploits that may not trigger the same activation patterns. The assumption that benign and harmful activations occupy separable linear subspaces is theoretically convenient but empirically tenuous for deep non-linear transformers—Figure 8 shows overlap between benign and malicious clusters even after steering. Additionally, the method requires careful tuning of three hyperparameters ($\alpha$, $\beta$, $\lambda$) and the steering layer selection ($l=20$ for 13B models, $l=14$ for 7B), with limited guidance on how these transfer to other architectures.

The evidence strongly supports superiority over ASTRA [52] for perturbation-based attacks, with NullSteer achieving 2.89% Toxicity vs 4.48% under unconstrained attacks on MiniGPT-4. However, the comparison against structured attacks (e.g., FigStep, MM-SafetyBench) is relegated to Appendix C with limited analysis, showing only marginal improvements over ASTRA on typographic attacks (6.28% vs 8.75% on SD_TYPO). The paper claims theoretical guarantees of utility preservation, but the verification relies on benchmarks (MM-Vet, MMBench) that may not capture subtle capability degradation—XSTest shows no over-refusal, but this dataset primarily tests exaggerated safety rather than nuanced instruction following. The comparison with JailGuard and ECSO is somewhat unfair as those methods target different threat models (input filtering vs activation steering).

Reproducibility is reasonably strong. The paper specifies the exact steering layers (20 for 13B, 14 for 7B), sample counts ($N_b \approx 8$, $N_m \approx 100$), and regularization coefficients ($\alpha$, $\beta$) used for optimization. The closed-form solution (Eq. 15) eliminates randomness in training. However, critical implementation details—such as the exact PGD step size and iterations for adversarial example generation, the specific refusal templates used to construct $\mathbf{R}$, and the attribution masking strategy for computing $\mathbf{V}$—are omitted or referenced only as "following ASTRA." The code and data are not explicitly mentioned as available, and the reliance on specific ImageNet subsets for steering vector construction (55 benign images, 16 adversarial) without release of the exact image IDs limits exact replication.