Adversarial Manipulation of Reasoning Models using Internal Representations
This work addresses security risks in reasoning models for AI safety by revealing a new target for adversarial manipulation, though it is incremental as it builds on existing jailbreak techniques.
The researchers tackled the vulnerability of reasoning models to jailbreak attacks by identifying a 'caution' direction in activation space during chain-of-thought generation that predicts refusal or compliance, and ablating it increased harmful compliance, effectively jailbreaking the model.
Reasoning models generate chain-of-thought (CoT) tokens before their final output, but how this affects their vulnerability to jailbreak attacks remains unclear. While traditional language models make refusal decisions at the prompt-response boundary, we find evidence that DeepSeek-R1-Distill-Llama-8B makes these decisions within its CoT generation. We identify a linear direction in activation space during CoT token generation that predicts whether the model will refuse or comply -- termed the "caution" direction because it corresponds to cautious reasoning patterns in the generated text. Ablating this direction from model activations increases harmful compliance, effectively jailbreaking the model. We additionally show that intervening only on CoT token activations suffices to control final outputs, and that incorporating this direction into prompt-based attacks improves success rates. Our findings suggest that the chain-of-thought itself is a promising new target for adversarial manipulation in reasoning models. Code available at https://github.com/ky295/reasoning-manipulation.