STAR: Detecting Inference-time Backdoors in LLM Reasoning via State-Transition Amplification Ratio
Seong-Gyu Park, Sohee Park, Jisu Lee, Hyunsik Na, Daeseon Choi
TL;DR
STAR tackles inference-time backdoors in LLM reasoning by exploiting the discrepancy between conditioned reasoning probabilities and the model’s prior knowledge, quantified via per-token log-likelihood ratios and a cumulative CUSUM statistic. The approach requires only post-generation logits, enabling a single-pass, low-overhead detection that does not modify model parameters or require re-training. Empirically, STAR delivers near-perfect AUROC and robust F1 across 8B–70B models and five reasoning benchmarks, while maintaining substantial speed advantages over baselines and remaining robust under adaptive attacks. The method offers a practical, real-time defense with broad applicability to commercial and open-source LLM deployments, subject to logits access and future exploration of training-time backdoors.
Abstract
Recent LLMs increasingly integrate reasoning mechanisms like Chain-of-Thought (CoT). However, this explicit reasoning exposes a new attack surface for inference-time backdoors, which inject malicious reasoning paths without altering model parameters. Because these attacks generate linguistically coherent paths, they effectively evade conventional detection. To address this, we propose STAR (State-Transition Amplification Ratio), a framework that detects backdoors by analyzing output probability shifts. STAR exploits the statistical discrepancy where a malicious input-induced path exhibits high posterior probability despite a low prior probability in the model's general knowledge. We quantify this state-transition amplification and employ the CUSUM algorithm to detect persistent anomalies. Experiments across diverse models (8B-70B) and five benchmark datasets demonstrate that STAR exhibits robust generalization capabilities, consistently achieving near-perfect performance (AUROC $\approx$ 1.0) with approximately $42\times$ greater efficiency than existing baselines. Furthermore, the framework proves robust against adaptive attacks attempting to bypass detection.
