Reasoning Introduces New Poisoning Attacks Yet Makes Them More Complicated
This addresses security vulnerabilities in advanced LLMs for AI safety researchers, showing incremental insights into attack and defense mechanisms.
The paper tackles the problem of data poisoning attacks on Large Language Models (LLMs) with reasoning capabilities, introducing a stealthy 'decomposed reasoning poison' attack that modifies only the reasoning path, but finds that reliably changing final answers is difficult due to models recovering from backdoors, indicating emergent robustness.
Early research into data poisoning attacks against Large Language Models (LLMs) demonstrated the ease with which backdoors could be injected. More recent LLMs add step-by-step reasoning, expanding the attack surface to include the intermediate chain-of-thought (CoT) and its inherent trait of decomposing problems into subproblems. Using these vectors for more stealthy poisoning, we introduce ``decomposed reasoning poison'', in which the attacker modifies only the reasoning path, leaving prompts and final answers clean, and splits the trigger across multiple, individually harmless components. Fascinatingly, while it remains possible to inject these decomposed poisons, reliably activating them to change final answers (rather than just the CoT) is surprisingly difficult. This difficulty arises because the models can often recover from backdoors that are activated within their thought processes. Ultimately, it appears that an emergent form of backdoor robustness is originating from the reasoning capabilities of these advanced LLMs, as well as from the architectural separation between reasoning and final answer generation.