Inside the LLM | Understanding AI & the Mechanics of Modern Attacks

Keypoints

• LLM input is transformed through tokenization, embeddings, positional encoding, and attention, and vulnerabilities can arise at each stage.
• Tokenization boundaries and subword tokenization (e.g., BPE) enable filter evasion by fragmenting blocked keywords like “powershell”.
• Gradient-based attacks (e.g., GCG) can optimize token sequences to shift embeddings and bypass safety guardrails across models.
• Context window limits and chunking introduce attacks where important alerts or instructions can be pushed out of model memory or processed incorrectly.
• Adversarial suffixes can hijack self-attention by producing Key vectors that dominate attention scores, steering model outputs despite existing safety rules.
• Mitigations include randomized smoothing (e.g., SmoothLLM), suffix filtering, and adversarial training, but these remain partial defenses as attackers adapt.
• Major providers (OpenAI, Anthropic, Google) deploy layered defenses like instruction hierarchies and constitutional classifiers, highlighting an evolving defensive landscape.