Argmin AIArgmin AI
About usOptimize your agent
RLHFBasic RAGPrompt OptimizationAgentic RAGQuantizationSafety BenchmarksLLM-as-a-JudgeChain-of-ThoughtMulti-Agent SystemsFunction CallingEfficient InferenceHallucination Detection

Moderate WANDA pruning (10–20%) increases jailbreak resistance of 7B LLMs without fine-tuning

AI OptimizationPruningJailbreak AttacksSafety BenchmarksAnalysis
January 19, 20248 min

Overview

Decision SnapshotNeeds Validation

Results are practical: modest attention pruning gives measurable safety gains on 7B models without fine-tuning and with small benchmark impact; evidence is limited to 7B models, one pruning method, and curated datasets.

Citations3

Evidence Strength0.70

Confidence0.80

Risk Signals11

Trust Signals

Findings with numeric evidence: 5/5

Findings with evidence refs: 5/5

Results with explicit delta: 5/5

Reproducibility

Status: No open assets linked

Open source: Unknown

At A Glance

Cost impact: 70%

Production readiness: 60%

Novelty: 50%

Authors

Adib Hasan, Ileana Rugina, Alex Wang

Links

Abstract / PDF

Why It Matters For Business

Pruning attention weights at modest sparsity (10–20%) is a low-cost safety lever: it can raise refusal rates to harmful prompts and shrink model size without extra fine-tuning or big performance loss.

Who Should Care

CTOML EngineerProduct ManagerEngineering Lead

Summary TLDR

The authors show that moderate WANDA pruning of attention weights (roughly 10–20%) on 7B models can raise refusal rates to malicious prompts without any further fine-tuning and while keeping benchmark performance nearly intact. They curated 225 malicious tasks (2,250 prompt samples), tested LLaMA-2-7B-Chat, Vicuna-1.3-7B, and Mistral-7B Instruct, and analyzed attention entropy and perplexity shifts to argue pruning acts as a regularizer that helps detect unnatural jailbreak constructs.

Problem Statement

How does model compression affect an aligned LLM's susceptibility to jailbreak attacks? The paper asks whether pruning (WANDA) can increase jailbreak resistance without additional training and without degrading standard task performance.

Main Contribution

Curated a safety-focused dataset: 225 malicious tasks split into 5 categories and embedded in 10 jailbreak templates (2,250 samples).

Showed attention-layer WANDA pruning (10–20%) raises refusal rates on 7B models without fine-tuning, with peak benefits at ~20% sparsity.

Key Findings

Moderate attention-layer WANDA pruning increases refusal rates to jailbreak prompts.

NumbersLLaMA-2: average +8.5% refusal rate across five categories

Practical UseTry 10–20% attention pruning to improve refusal behavior for safety-trained 7B models before doing extra fine-tuning.

Evidence RefIntroduction; Section 4.1; Figure 1

Safety benefits peak near 20% sparsity and reverse after heavier pruning.

NumbersResistance improves up to 20% then degrades by 30% sparsity

Practical UseAvoid aggressive pruning (>30%); tune sparsity around 10–20% and monitor refusals and benchmarks.

Evidence RefFigures 3 and 5; Section 4.1

Results

MetricValueBaselineDeltaSplit / DatasetEvidenceEvidence Ref
Refusal rate (safety)LLaMA-2: avg +8.5% refusal (post-pruning)unpruned LLaMA-2 Chat+8.5% (average across five categories)Custom malicious tasks (225 tasks, 2250 samples)Introduction; Section 4.1; Figure 1Figure 1
Perplexity (WikiText)6.9437.158 (20% sparsity)unpruned LLaMA-2 (6.943)+0.215WikiText perplexityTable 1; Section 4.3Table 1

What To Try In 7 Days

Run attention-layer WANDA pruning at 10% and 20% on a copy of your 7B model and keep the original.

Measure refusal rate on an internal set of risky prompts and compare to unpruned baseline.

Validate core business benchmarks (MMLU, task-specific tests) to ensure capability is preserved (>look for small deltas).

Optimization Features

Infra Optimization
lower memory footprint from pruned weights
Model Optimization
WANDA pruning (attention-layer, 10–30% sparsity)

Reproducibility

Code AvailableNo
Data AvailableNo
Open Source StatusUnknown
LicenseUnknown

Risks & Boundaries

Limitations

Experiments limited to 7B models; effects on larger models are unknown.

Only WANDA pruning evaluated; other compression methods may differ.

When Not To Use

Do not rely on pruning as the sole safety measure for poorly aligned models.

Avoid pruning >30% sparsity in production as it can reduce safety and capabilities.

Failure Modes

Over-pruning (>30%) reduces alignment and can increase harmful outputs.

Models with little or no prior safety training (e.g., no RLHF) may see little benefit.

Core Entities

Models

LLaMA-2-7B-ChatVicuna-1.3-7BMistral-Instruct-v0.2-7BWANDA pruning (attention-layer)

Metrics

refusal rateperplexityattention entropyIgnoreJailbreak metricAccuracyMSE (linear models)

Datasets

Custom malicious tasks dataset (225 tasks, 2,250 samples)AdvBench harmful behavior datasetWikiText (perplexity)Open LLM Leaderboard tasks (ARC, HellaSwag, MMLU, TruthfulQA, Winogrande, GSM8K, AltQA)

Benchmarks

Open LLM Leaderboard (ARC, HellaSwag, MMLU, TruthfulQA, Winogrande, GSM8K, AltQA)AdvBench

Context Entities

Models

LLaMA-2 base models and RLHF-aligned versionsVicuna and Mistral fine-tuned variants

Metrics

p-values for GCG attack experimentsper-sparsity attention/head statistics

Datasets

AdvBench (for automated attacks)AltQA (effective context length test)

Benchmarks

Open LLM Leaderboard components

You May Also Want to Read

A practical survey of compression and speed tricks to run large language models on limited hardware

0.80
0.50
0.85
13

Compression and better kernels let teams run large LLMs on fewer GPUs or even on single workstations, cutting hosting costs and enabling edge/embedded use cases without losing core capabilities.

Key finding

Quantizing FP32 weights to 4-bit cuts model size roughly to one-eighth.

Numbers: ≈1/8 model size when FP32→INT4

Practical survey of quantization, pruning, distillation, and decoding tricks to make LLMs cheaper and faster

0.60
0.30
0.80
0

Optimizations can cut memory and latency costs enough to enable local hosting, cheaper cloud inference, or higher throughput; pick a method by the hardware you control and quality you must preserve.

Key finding

Speculative decoding can cut inference latency substantially by proposing tokens from a smaller model and checking them with the target model.

Numbers: 2x3x latency improvement reported

Smaller, faster NLLB-based models for 15 African language pairs, with released data and code

0.70
0.60
0.70
0

AfriNLLB delivers translation models that are 20–57% faster at inference while keeping similar quality, making deployment in constrained environments (limited GPU or server cost) more affordable and easier.

Key finding

Iterative pruning produced a 548M model that runs faster than baseline.

Numbers: Throughput +23% (pruned) and +57% (pruned + FP16) vs NLLB-600M

Compression can preserve or break LLM trust: 4-bit quantization often keeps or even improves ethics/fairness, pruning and 3-bit quantization

0.70
0.60
0.80
4

Compression can save cost and enable deployment on consumer GPUs, but it can also change model safety in ways that accuracy tests miss. Pick compression methods and bit-rates with trust tests, not just MMLU.

Key finding

4-bit post-training quantization usually preserves trustworthiness within small margins.

Numbers: ≤5-point drop across 8 trust metrics (LLAMA2 13b Chat, 4-bit)

Use LLM agents + runtime profiling to pick layerwise pruning and post-training dynamic quantization automatically

0.60
0.70
0.70
0

Profiling-guided, LLM-driven compression automates model tuning for latency and memory limits. It reduces manual trial-and-error and can make large vision models viable on CPU- or memory-constrained edge servers with minimal accuracy loss.

Key finding

ProfilingAgent's quantization achieves large memory savings with tiny accuracy loss.

Numbers: Mem.Red ≈ 74% and ∆Acc ≤ 0.5% on ImageNet-1K (Table 3,4)