Table of Contents
Fetching ...

STAR: Detecting Inference-time Backdoors in LLM Reasoning via State-Transition Amplification Ratio

Seong-Gyu Park, Sohee Park, Jisu Lee, Hyunsik Na, Daeseon Choi

TL;DR

STAR tackles inference-time backdoors in LLM reasoning by exploiting the discrepancy between conditioned reasoning probabilities and the model’s prior knowledge, quantified via per-token log-likelihood ratios and a cumulative CUSUM statistic. The approach requires only post-generation logits, enabling a single-pass, low-overhead detection that does not modify model parameters or require re-training. Empirically, STAR delivers near-perfect AUROC and robust F1 across 8B–70B models and five reasoning benchmarks, while maintaining substantial speed advantages over baselines and remaining robust under adaptive attacks. The method offers a practical, real-time defense with broad applicability to commercial and open-source LLM deployments, subject to logits access and future exploration of training-time backdoors.

Abstract

Recent LLMs increasingly integrate reasoning mechanisms like Chain-of-Thought (CoT). However, this explicit reasoning exposes a new attack surface for inference-time backdoors, which inject malicious reasoning paths without altering model parameters. Because these attacks generate linguistically coherent paths, they effectively evade conventional detection. To address this, we propose STAR (State-Transition Amplification Ratio), a framework that detects backdoors by analyzing output probability shifts. STAR exploits the statistical discrepancy where a malicious input-induced path exhibits high posterior probability despite a low prior probability in the model's general knowledge. We quantify this state-transition amplification and employ the CUSUM algorithm to detect persistent anomalies. Experiments across diverse models (8B-70B) and five benchmark datasets demonstrate that STAR exhibits robust generalization capabilities, consistently achieving near-perfect performance (AUROC $\approx$ 1.0) with approximately $42\times$ greater efficiency than existing baselines. Furthermore, the framework proves robust against adaptive attacks attempting to bypass detection.

STAR: Detecting Inference-time Backdoors in LLM Reasoning via State-Transition Amplification Ratio

TL;DR

STAR tackles inference-time backdoors in LLM reasoning by exploiting the discrepancy between conditioned reasoning probabilities and the model’s prior knowledge, quantified via per-token log-likelihood ratios and a cumulative CUSUM statistic. The approach requires only post-generation logits, enabling a single-pass, low-overhead detection that does not modify model parameters or require re-training. Empirically, STAR delivers near-perfect AUROC and robust F1 across 8B–70B models and five reasoning benchmarks, while maintaining substantial speed advantages over baselines and remaining robust under adaptive attacks. The method offers a practical, real-time defense with broad applicability to commercial and open-source LLM deployments, subject to logits access and future exploration of training-time backdoors.

Abstract

Recent LLMs increasingly integrate reasoning mechanisms like Chain-of-Thought (CoT). However, this explicit reasoning exposes a new attack surface for inference-time backdoors, which inject malicious reasoning paths without altering model parameters. Because these attacks generate linguistically coherent paths, they effectively evade conventional detection. To address this, we propose STAR (State-Transition Amplification Ratio), a framework that detects backdoors by analyzing output probability shifts. STAR exploits the statistical discrepancy where a malicious input-induced path exhibits high posterior probability despite a low prior probability in the model's general knowledge. We quantify this state-transition amplification and employ the CUSUM algorithm to detect persistent anomalies. Experiments across diverse models (8B-70B) and five benchmark datasets demonstrate that STAR exhibits robust generalization capabilities, consistently achieving near-perfect performance (AUROC 1.0) with approximately greater efficiency than existing baselines. Furthermore, the framework proves robust against adaptive attacks attempting to bypass detection.
Paper Structure (34 sections, 9 equations, 5 figures, 6 tables)

This paper contains 34 sections, 9 equations, 5 figures, 6 tables.

Figures (5)

  • Figure 1: Inference-time Backdoor Attack Framework. An adversary injects a trigger into the input prompt, manipulating the LLM to generate a malicious reasoning path that leads to an incorrect target answer, all while remaining imperceptible to the user.
  • Figure 2: Inference-time Backdoor Attack Example
  • Figure 3: Schematic illustration of state-transition amplification during malicious reasoning. The initial trigger induces a probability shift, which is progressively magnified through subsequent reasoning tokens, leading to a highly detectable anomaly.
  • Figure 4: Detection performance of STAR across varying sampling temperatures, averaged over five datasets. The results indicate that the method maintains high stability independent of temperature changes.
  • Figure 5: Visualization of the suspicion score ($g_t$) trajectory on Llama3 8B across five datasets. The $g_t$ value remains low during normal generation but rises sharply upon trigger appearance and peaks during the malicious reasoning process. This confirms that STAR detects attacks by capturing the statistical discrepancy in the reasoning phase, independent of specific trigger patterns.