Inferensys

Glossary

Erase-and-Check

A certified defense that systematically erases tokens from an input and checks all subsequences for harmful content, providing a mathematical guarantee against adversarial suffixes.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
CERTIFIED ADVERSARIAL DEFENSE

What is Erase-and-Check?

A systematic defense mechanism that provides mathematical safety guarantees by exhaustively verifying all subsequences of an input for harmful content after erasing individual tokens.

Erase-and-Check is a certified defense algorithm that systematically removes each token from an input sequence and evaluates all resulting subsequences against a safety classifier. By exhaustively checking every possible erasure, it provides a mathematical guarantee that no adversarial suffix can bypass detection—if any harmful subsequence exists, it will be flagged. This approach directly counters GCG attacks and other gradient-based adversarial suffix generation methods.

Unlike heuristic filters that can be evaded through obfuscation, Erase-and-Check offers a provable safety certificate: if the algorithm declares an input safe, no harmful contiguous subsequence exists within it. The primary trade-off is computational cost, as the number of subsequences grows quadratically with input length. Implementations often use safety classifiers optimized for throughput and may restrict the erasure window to manage latency in production deployments.

CERTIFIED DEFENSE MECHANISM

Key Features of Erase-and-Check

A systematic defense framework that provides mathematical safety guarantees against adversarial suffix attacks by exhaustively verifying all subsequences of a potentially harmful input.

01

Certified Robustness Guarantee

Provides a formal mathematical guarantee that no adversarial suffix of a specified length can cause harmful output. Unlike empirical defenses that can be bypassed by novel attacks, Erase-and-Check offers provable safety within its threat model. The certification states that if the defense passes an input, no suffix up to a certain token length can make it harmful.

02

Exhaustive Subsequence Verification

Systematically erases tokens from the input sequence and checks all possible subsequences for harmful content using a safety filter. Key process:

  • Iteratively removes contiguous token spans
  • Evaluates each resulting subsequence independently
  • Flags input as harmful if any subsequence triggers the safety classifier
  • Guarantees no adversarial suffix escapes detection within the certified length bound
03

Adversarial Suffix Neutralization

Specifically designed to counter GCG-style attacks and other gradient-based suffix generation methods. Adversarial suffixes exploit model gradients to append nonsensical tokens that maximize harmful output probability. Erase-and-Check defeats these by:

  • Checking the prompt without the suffix appended
  • Verifying that the core harmful instruction is detected regardless of suffix presence
  • Rendering suffix optimization ineffective against the defense
04

Safety Filter Integration

Leverages an external harmfulness classifier as the checking mechanism for each subsequence. The defense is agnostic to the specific filter implementation, allowing integration with:

  • Fine-tuned safety language models
  • Perplexity-based anomaly detectors
  • Rule-based content policy engines
  • Ensemble classifiers combining multiple detection methods This modularity enables defense strength to scale with filter improvements.
05

Computational Trade-off Management

The exhaustive checking of all subsequences introduces O(n²) computational overhead where n is the input token length. Mitigation strategies include:

  • Limiting the certified suffix length to bound the search space
  • Parallelizing subsequence evaluations across multiple inference instances
  • Caching intermediate safety filter results for overlapping subsequences
  • Applying the defense selectively to high-risk inputs identified by lightweight pre-filters
06

Integration with SmoothLLM

Often deployed alongside SmoothLLM as part of a defense-in-depth strategy. While SmoothLLM uses input perturbation and response aggregation to detect anomalies, Erase-and-Check provides the formal certification layer. Together they address:

  • SmoothLLM: Runtime anomaly detection through output variance analysis
  • Erase-and-Check: Pre-execution certification against known suffix attack patterns
  • Combined: Both empirical and provable safety guarantees in production systems
CERTIFIED DEFENSE MECHANISM

Frequently Asked Questions

Explore the mechanics, guarantees, and implementation considerations of Erase-and-Check, the first certified defense against adversarial suffix attacks on large language models.

Erase-and-Check is a certified defense algorithm that provides a mathematical guarantee against adversarial suffix attacks on large language models. It operates by systematically erasing individual tokens from an input sequence and evaluating all resulting subsequences with a safety filter. The core mechanism works as follows: for an input of length n, the algorithm generates n subsequences by erasing one token at a time, then checks each subsequence for harmful content. If any subsequence is flagged as harmful, the original input is blocked. This process exploits the property that adversarial suffixes are contiguous token sequences—erasing any single token from the suffix breaks its effectiveness, causing the harmful prompt to be detected. Unlike heuristic defenses that can be bypassed, Erase-and-Check provides a certifiable robustness guarantee: if the safety filter correctly classifies all subsequences of length n-1, then no adversarial suffix of any length can cause the model to generate harmful output.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.