ExplainableGuard: Interpretable Adversarial Defense for Large Language Models Using Chain-of-Thought Reasoning
Shaowei Guan, Yu Zhai, Zhengyu Zhang, Yanze Wang, Hin Chi Kwok
TL;DR
This paper addresses adversarial vulnerabilities of large language models by introducing ExplainableGuard, an interpretable defense that uses Chain-of-Thought prompting with the DeepSeek-Reasoner to detect, purify, and explain adversarial text perturbations. Given an input $T_{adv}$, the system outputs a purified text $T_{clean}$, an explanation $E$, a boolean is_adv, and a reasoning trace $R$, thereby improving transparency alongside defense. Empirical results on GLUE short-text tasks and IMDB long-text data show reductions in Attack Success Rate (ASR) and high BLEU scores indicating content preservation, while human evaluations favor the explanations over ablated variants. The work highlights a crucial trade-off between defense efficacy and interpretability, arguing that explainability enhances deployability-trust and charts a path toward auditable and trustworthy AI security in real-world deployments.
Abstract
Large Language Models (LLMs) are increasingly vulnerable to adversarial attacks that can subtly manipulate their outputs. While various defense mechanisms have been proposed, many operate as black boxes, lacking transparency in their decision-making. This paper introduces ExplainableGuard, an interpretable adversarial defense framework leveraging the chain-of-thought (CoT) reasoning capabilities of DeepSeek-Reasoner. Our approach not only detects and neutralizes adversarial perturbations in text but also provides step-by-step explanations for each defense action. We demonstrate how tailored CoT prompts guide the LLM to perform a multi-faceted analysis (character, word, structural, and semantic) and generate a purified output along with a human-readable justification. Preliminary results on the GLUE Benchmark and IMDB Movie Reviews dataset show promising defense efficacy. Additionally, a human evaluation study reveals that ExplainableGuard's explanations outperform ablated variants in clarity, specificity, and actionability, with a 72.5% deployability-trust rating, underscoring its potential for more trustworthy LLM deployments.