Attention-Guided Reward for Reinforcement Learning-based Jailbreak against Large Reasoning Models
For security researchers and developers of LRMs, this work exposes a new vulnerability in reasoning models and provides a more effective attack method, though it is incremental as it builds on existing RL-based jailbreak techniques.
This paper investigates jailbreak attacks on Large Reasoning Models (LRMs), revealing that attack success rate correlates with attention patterns. The proposed reinforcement learning-based method incorporating attention signals achieves substantially higher attack success rates across multiple LRMs and benchmarks.
Large Reasoning Models (LRMs) have demonstrated remarkable capabilities in solving complex problems by generating structured, step-by-step reasoning content. However, exposing a model's internal reasoning process introduces additional safety risks; for example, recent studies show that LRMs are more vulnerable to jailbreak attacks than standard LLMs. In this paper, we investigate jailbreak attacks on LRMs and reveal that the attack success rate (ASR) is closely correlated with LRMs' attention patterns. Specifically, successful jailbreaks tend to assign lower attention to harmful tokens in the input prompt, while allocating higher attention to those tokens in the reasoning content. Motivated by this finding, we propose a novel jailbreak method for LRMs that leverages reinforcement learning (RL) to enhance attack effectiveness, explicitly incorporating attention signals into the reward function design. In addition, we introduce diverse persuasion strategies to enrich the RL action space, which consistently improves the ASR. Extensive experiments on five open-source and closed-source LRMs across three benchmarks demonstrate that our method achieves substantially higher ASR, outperforming existing approaches in terms of effectiveness, efficiency, and transferability.