Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Content Safety: Real-Time Monitoring for Reasoning Vulnerabilities in Large Language Models

Xunguang Wang, Yuguang Zhou, Qingyue Wang, Zongjie Li, Ruixuan Huang, Zhenlan Ji, Pingchuan Ma, Shuai Wang

Abstract

Large language models (LLMs) increasingly rely on explicit chain-of-thought (CoT) reasoning to solve complex tasks, yet the safety of the reasoning process itself remains largely unaddressed. Existing work on LLM safety focuses on content safety--detecting harmful, biased, or factually incorrect outputs -- and treats the reasoning chain as an opaque intermediate artifact. We identify reasoning safety as an orthogonal and equally critical security dimension: the requirement that a model's reasoning trajectory be logically consistent, computationally efficient, and resistant to adversarial manipulation. We make three contributions. First, we formally define reasoning safety and introduce a nine-category taxonomy of unsafe reasoning behaviors, covering input parsing errors, reasoning execution errors, and process management errors. Second, we conduct a large-scale prevalence study annotating 4111 reasoning chains from both natural reasoning benchmarks and four adversarial attack methods (reasoning hijacking and denial-of-service), confirming that all nine error types occur in practice and that each attack induces a mechanistically interpretable signature. Third, we propose a Reasoning Safety Monitor: an external LLM-based component that runs in parallel with the target model, inspects each reasoning step in real time via a taxonomy-embedded prompt, and dispatches an interrupt signal upon detecting unsafe behavior. Evaluation on a 450-chain static benchmark shows that our monitor achieves up to 84.88\% step-level localization accuracy and 85.37\% error-type classification accuracy, outperforming hallucination detectors and process reward model baselines by substantial margins. These results demonstrate that reasoning-level monitoring is both necessary and practically achievable, and establish reasoning safety as a foundational concern for the secure deployment of large reasoning models.

Beyond Content Safety: Real-Time Monitoring for Reasoning Vulnerabilities in Large Language Models

Abstract

Large language models (LLMs) increasingly rely on explicit chain-of-thought (CoT) reasoning to solve complex tasks, yet the safety of the reasoning process itself remains largely unaddressed. Existing work on LLM safety focuses on content safety--detecting harmful, biased, or factually incorrect outputs -- and treats the reasoning chain as an opaque intermediate artifact. We identify reasoning safety as an orthogonal and equally critical security dimension: the requirement that a model's reasoning trajectory be logically consistent, computationally efficient, and resistant to adversarial manipulation. We make three contributions. First, we formally define reasoning safety and introduce a nine-category taxonomy of unsafe reasoning behaviors, covering input parsing errors, reasoning execution errors, and process management errors. Second, we conduct a large-scale prevalence study annotating 4111 reasoning chains from both natural reasoning benchmarks and four adversarial attack methods (reasoning hijacking and denial-of-service), confirming that all nine error types occur in practice and that each attack induces a mechanistically interpretable signature. Third, we propose a Reasoning Safety Monitor: an external LLM-based component that runs in parallel with the target model, inspects each reasoning step in real time via a taxonomy-embedded prompt, and dispatches an interrupt signal upon detecting unsafe behavior. Evaluation on a 450-chain static benchmark shows that our monitor achieves up to 84.88\% step-level localization accuracy and 85.37\% error-type classification accuracy, outperforming hallucination detectors and process reward model baselines by substantial margins. These results demonstrate that reasoning-level monitoring is both necessary and practically achievable, and establish reasoning safety as a foundational concern for the secure deployment of large reasoning models.

Paper Structure

This paper contains 17 sections, 2 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Content Safety
  4. COT & LRMs
  5. Reasoning Attacks
  6. Reasoning Safety: Taxonomy & Prevalence
  7. Defining Reasoning Safety
  8. Unsafe Behavior Taxonomy
  9. Prevalence Study
  10. Reasoning Safety Monitor
  11. Threat Model and Design Goals
  12. System Architecture
  13. Monitor Implementation
  14. Evaluation
  15. Experimental Setup
  16. ...and 2 more sections

Figures (2)

  • Figure 1: Error type distributions across the natural reasoning dataset (OmniMath) and four attack-induced datasets. Category codes follow Table \ref{['tab:taxonomy']}: 1a=Misinterpretation, 1b=Missing Constraints, 1c=Symbol Mapping Error, 2a=Logical Fallacy, 2b=Calculation Error, 2c=Inconsistency, 3a=Reasoning Loop, 3b=Goal Deviation, 3c=Premature Conclusion.
  • Figure 2: Overview of the Reasoning Safety Monitor. The monitor runs in parallel with the target LLM, receiving each reasoning step via a streaming interface segmented by double newlines. For every step, the monitor queries an LLM verifier with the full contextual history and the nine-type error taxonomy, producing a structured verdict (safety flag, error type, location, confidence, and explanation). If the verdict indicates an unsafe step with confidence $\geq\tau$, an interrupt signal halts the target LLM's generation pipeline; otherwise, the step is appended to the context window and generation continues. A chain in which all steps pass inspection proceeds to produce the final answer.