Papers
Topics
Authors
Recent
Search
2000 character limit reached

Critical-CoT: A Robust Defense Framework against Reasoning-Level Backdoor Attacks in Large Language Models

Published 12 Apr 2026 in cs.CR and cs.AI | (2604.10681v2)

Abstract: LLMs, despite their impressive capabilities across domains, have been shown to be vulnerable to backdoor attacks. Prior backdoor strategies predominantly operate at the token level, where an injected trigger causes the model to generate a specific target word, choice, or class (depending on the task). Recent advances, however, exploit the long-form reasoning tendencies of modern LLMs to conduct reasoning-level backdoors: once triggered, the victim model inserts one or more malicious reasoning steps into its chain-of-thought (CoT). These attacks are substantially harder to detect, as the backdoored answer remains plausible and consistent with the poisoned reasoning trajectory. Yet, defenses tailored to this type of backdoor remain largely unexplored. To bridge this gap, we propose Critical-CoT, a novel defense mechanism that conducts a two-stage fine-tuning (FT) process on LLMs to develop critical thinking behaviors, enabling them to automatically identify potential backdoors and refuse to generate malicious reasoning steps. Extensive experiments across multiple LLMs and datasets demonstrate that Critical-CoT provides strong robustness against both in-context learning-based and FT-based backdoor attacks. Notably, Critical-CoT exhibits strong cross-domain and cross-task generalization. Our code is available at hthttps://github.com/tuanvu171/Critical-CoT.

Authors (2)

Summary

  • The paper introduces Critical-CoT, a two-stage framework using SFT and DPO to robustly detect reasoning-level backdoor attacks in LLMs.
  • It constructs paired defensive datasets targeting both ICL- and FT-based threats, thereby restoring clean-task accuracy with minimal degradation.
  • Empirical evaluations show 94โ€“99% detection rates and near-clean performance, significantly outperforming existing defense strategies.

Critical-CoT: Defense Against Reasoning-Level Backdoor Attacks in LLMs

Motivation and Problem Statement

Backdoor attacks on LLMs have evolved beyond token-level manipulation, with recent advances targeting reasoning-level vulnerabilities, injecting malicious steps into chain-of-thought (CoT) reasoning processes. In reasoning-level attacks, the injected steps are semantically coherent and maintain internal consistency, severely degrading the efficacy of prior detection techniques that rely on incoherence or anomalous outputs. Notably, both in-context learning-based (ICL) and fine-tuning-based (FT) attack paradigms can instantiate this threat, creating a critical need for robust and unified defense strategies. Current defenses are deficient, either failing to generalize to reasoning-level attacks or introducing substantial accuracy penalties on clean tasks.

Critical-CoT Framework

Critical-CoT addresses reasoning-level backdoor threats via a two-stage defensive fine-tuning protocol that explicitly instantiates critical-thinking behavior in the target LLM. The overall defense architecture systematically guides the LLM to scrutinize input prompts for potential triggers and to override malicious reasoning, without assumptions on the trigger form, target behavior, or attack method. An overview of the Critical-CoT mechanism, including defensive dataset construction and fine-tuning pipeline, is illustrated below. Figure 1

Figure 1: Overview of Critical-CoT defense with an example on arithmetic reasoning tasks.

Defensive Dataset Construction

Critical-CoT synthesizes a defensive dataset (CTCoT) containing both backdoor-aware and clean reasoning instances. For ICL-based threats, poisoned demonstrations are algorithmically constructed, embedding triggers and malicious reasoning steps. Defensive instructions are introduced during generation to prompt an auxiliary clean LLM to flag and ignore such malicious constructs. Similarly, in the FT-based setting, queries are randomly spiked with triggers from a diverse and adversarial set (covering raw symbols, contrived phrases, and benign fillers) to train trigger-awareness irrespective of their semantics.

The construction of two paired datasets is central:

  • DICLdef\mathcal{D}_\text{ICL}^\text{def}: Defensive examples for ICL-based attacks, with explicit malicious demonstration reasoning.
  • DFTdef\mathcal{D}_\text{FT}^\text{def}: Defensive examples for FT-based attacks, training the model to recognize and ignore anomalous or out-of-distribution query patterns.

Both are supplemented by clean reasoning examples, enabling joint optimization for both robustness and utility.

Two-Stage Fine-Tuning: SFT and DPO

Critical-CoTโ€™s defense pipeline comprises two intertwined stages:

  1. Supervised Fine-Tuning (SFT): The LLM is fine-tuned on the CTCoT dataset, enforcing explicit critical reasoning and adversarial trigger detection. SFT establishes the fundamental defensive behavior but can bias the model towards over-cautiousnessโ€”incorrectly flagging benign inputs.
  2. Direct Preference Optimization (DPO): Following SFT, DPO is employed using paired preference data. On adversarial samples, the preferred response is the backdoor-aware, trigger-ignoring answer; the non-preferred is the backdoored output. On clean data, this is reversed for over-cautious false-positive scenarios. DPO sharpens the modelโ€™s discrimination boundary, suppressing both under- and over-detection.

Empirical Evaluation

Critical-CoTโ€™s robustness was evaluated on multiple LLMs (including GPT-OSS-20B, Qwen3-14B, and LLaMA-2-13B) and reasoning benchmarks (GSM8K, MATH, CSQA), against both ICL-based (e.g., BadChain) and FT-based (e.g., adaptations of BALD/ShadowCoT) backdoor attacks. Triggers employed included unseen variants during evaluation for a rigorous assessment of generalization.

Defensive Performance

Critical-CoT achieved 94โ€“99% backdoor and trigger detection rates across both attack families with residual attack success rates suppressed below 1%. Defensive accuracy under attack, which was <10%<10\% without defense, is restored to near-clean levels post-defense, with only negligible clean-task degradation (<2% drop in accuracy).

Ablation studies confirmed the complementarity of SFT and DPO: SFT alone induces over-cautiousness (high false positives), and DPO alone yields under-detection; their combination is necessary for optimal operation.

Cross-Domain and Cross-Task Generalization

Critical-CoT maintains high detection and low attack rates even when the defensive dataset and evaluation queries stem from distinct domains (arithmetic โ†’\rightarrow MATH; MATH โ†’\rightarrow GSM8K) or orthogonal tasks (arithmetic โ†’\rightarrow commonsense MCQA), evidencing strong generalization to novel tasks and domains.

Comparison with Existing Defenses

Critical-CoT decisively outperformed baselines including ONION, Chain-of-Scrutiny, Shuffle/Shuffle++, and Clean Fine-Tuning. Notably, CoS and ONION left over 60% of attacks undetected, while Shuffle-based strategies, though reducing ASR, introduced unsustainable utility losses. Clean FT is ineffective for ICL-based threats and can inadvertently raise attack susceptibility.

Limitations and Implications

Critical-CoTโ€™s defense incurs a one-time fine-tuning cost, but unlike inference-time prompt-based defenses, does not require runtime overhead. The method is agnostic to explicit trigger content but may not capture highly contextual or purely semantic triggers. Additionally, accuracy under FT-based attacks may be bounded by pre-existing reasoning degradation in heavily poisoned models. Improving post-detection recovery for irreparably compromised models and expanding to semantic/contextual trigger detection are open problems.

Practically, Critical-CoT renders deployed LLMs substantially more robust to advanced backdoor campaigns, a critical property for safety-critical real-world applications. Theoretically, its two-stage protocol underscores the utility of joint discriminative and critical-behavioral training in robust reasoning models.

Future Directions

Expanding defensive capabilities to address emerging attack paradigmsโ€”such as semantically conditioned triggers, context-driven vulnerabilities, or policy-level manipulationsโ€”remains a central challenge. Further, integrating automatic post-detection repair and utility-preserving strategies could enhance recovery in irrevocably poisoned models. Investigation of automatic defensive dataset synthesis and its transferability to new benchmarks and domains is also warranted.

Conclusion

Critical-CoT establishes a unified, effective framework for mitigating reasoning-level backdoor attacks against LLMs, providing consistently high detection, minimal attack success, and negligible impact on clean-task utility. Its strong empirical results across attack modalities, generalization scenarios, and LLM architectures advocate for its adoption as a standard robustness baseline in future reasoning-centric LLM deployments (2604.10681).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.