- The paper introduces Critical-CoT, a two-stage framework using SFT and DPO to robustly detect reasoning-level backdoor attacks in LLMs.
- It constructs paired defensive datasets targeting both ICL- and FT-based threats, thereby restoring clean-task accuracy with minimal degradation.
- Empirical evaluations show 94โ99% detection rates and near-clean performance, significantly outperforming existing defense strategies.
Critical-CoT: Defense Against Reasoning-Level Backdoor Attacks in LLMs
Motivation and Problem Statement
Backdoor attacks on LLMs have evolved beyond token-level manipulation, with recent advances targeting reasoning-level vulnerabilities, injecting malicious steps into chain-of-thought (CoT) reasoning processes. In reasoning-level attacks, the injected steps are semantically coherent and maintain internal consistency, severely degrading the efficacy of prior detection techniques that rely on incoherence or anomalous outputs. Notably, both in-context learning-based (ICL) and fine-tuning-based (FT) attack paradigms can instantiate this threat, creating a critical need for robust and unified defense strategies. Current defenses are deficient, either failing to generalize to reasoning-level attacks or introducing substantial accuracy penalties on clean tasks.
Critical-CoT Framework
Critical-CoT addresses reasoning-level backdoor threats via a two-stage defensive fine-tuning protocol that explicitly instantiates critical-thinking behavior in the target LLM. The overall defense architecture systematically guides the LLM to scrutinize input prompts for potential triggers and to override malicious reasoning, without assumptions on the trigger form, target behavior, or attack method. An overview of the Critical-CoT mechanism, including defensive dataset construction and fine-tuning pipeline, is illustrated below.
Figure 1: Overview of Critical-CoT defense with an example on arithmetic reasoning tasks.
Defensive Dataset Construction
Critical-CoT synthesizes a defensive dataset (CTCoT) containing both backdoor-aware and clean reasoning instances. For ICL-based threats, poisoned demonstrations are algorithmically constructed, embedding triggers and malicious reasoning steps. Defensive instructions are introduced during generation to prompt an auxiliary clean LLM to flag and ignore such malicious constructs. Similarly, in the FT-based setting, queries are randomly spiked with triggers from a diverse and adversarial set (covering raw symbols, contrived phrases, and benign fillers) to train trigger-awareness irrespective of their semantics.
The construction of two paired datasets is central:
- DICLdefโ: Defensive examples for ICL-based attacks, with explicit malicious demonstration reasoning.
- DFTdefโ: Defensive examples for FT-based attacks, training the model to recognize and ignore anomalous or out-of-distribution query patterns.
Both are supplemented by clean reasoning examples, enabling joint optimization for both robustness and utility.
Two-Stage Fine-Tuning: SFT and DPO
Critical-CoTโs defense pipeline comprises two intertwined stages:
- Supervised Fine-Tuning (SFT): The LLM is fine-tuned on the CTCoT dataset, enforcing explicit critical reasoning and adversarial trigger detection. SFT establishes the fundamental defensive behavior but can bias the model towards over-cautiousnessโincorrectly flagging benign inputs.
- Direct Preference Optimization (DPO): Following SFT, DPO is employed using paired preference data. On adversarial samples, the preferred response is the backdoor-aware, trigger-ignoring answer; the non-preferred is the backdoored output. On clean data, this is reversed for over-cautious false-positive scenarios. DPO sharpens the modelโs discrimination boundary, suppressing both under- and over-detection.
Empirical Evaluation
Critical-CoTโs robustness was evaluated on multiple LLMs (including GPT-OSS-20B, Qwen3-14B, and LLaMA-2-13B) and reasoning benchmarks (GSM8K, MATH, CSQA), against both ICL-based (e.g., BadChain) and FT-based (e.g., adaptations of BALD/ShadowCoT) backdoor attacks. Triggers employed included unseen variants during evaluation for a rigorous assessment of generalization.
Critical-CoT achieved 94โ99% backdoor and trigger detection rates across both attack families with residual attack success rates suppressed below 1%. Defensive accuracy under attack, which was <10% without defense, is restored to near-clean levels post-defense, with only negligible clean-task degradation (<2% drop in accuracy).
Ablation studies confirmed the complementarity of SFT and DPO: SFT alone induces over-cautiousness (high false positives), and DPO alone yields under-detection; their combination is necessary for optimal operation.
Cross-Domain and Cross-Task Generalization
Critical-CoT maintains high detection and low attack rates even when the defensive dataset and evaluation queries stem from distinct domains (arithmetic โ MATH; MATH โ GSM8K) or orthogonal tasks (arithmetic โ commonsense MCQA), evidencing strong generalization to novel tasks and domains.
Comparison with Existing Defenses
Critical-CoT decisively outperformed baselines including ONION, Chain-of-Scrutiny, Shuffle/Shuffle++, and Clean Fine-Tuning. Notably, CoS and ONION left over 60% of attacks undetected, while Shuffle-based strategies, though reducing ASR, introduced unsustainable utility losses. Clean FT is ineffective for ICL-based threats and can inadvertently raise attack susceptibility.
Limitations and Implications
Critical-CoTโs defense incurs a one-time fine-tuning cost, but unlike inference-time prompt-based defenses, does not require runtime overhead. The method is agnostic to explicit trigger content but may not capture highly contextual or purely semantic triggers. Additionally, accuracy under FT-based attacks may be bounded by pre-existing reasoning degradation in heavily poisoned models. Improving post-detection recovery for irreparably compromised models and expanding to semantic/contextual trigger detection are open problems.
Practically, Critical-CoT renders deployed LLMs substantially more robust to advanced backdoor campaigns, a critical property for safety-critical real-world applications. Theoretically, its two-stage protocol underscores the utility of joint discriminative and critical-behavioral training in robust reasoning models.
Future Directions
Expanding defensive capabilities to address emerging attack paradigmsโsuch as semantically conditioned triggers, context-driven vulnerabilities, or policy-level manipulationsโremains a central challenge. Further, integrating automatic post-detection repair and utility-preserving strategies could enhance recovery in irrevocably poisoned models. Investigation of automatic defensive dataset synthesis and its transferability to new benchmarks and domains is also warranted.
Conclusion
Critical-CoT establishes a unified, effective framework for mitigating reasoning-level backdoor attacks against LLMs, providing consistently high detection, minimal attack success, and negligible impact on clean-task utility. Its strong empirical results across attack modalities, generalization scenarios, and LLM architectures advocate for its adoption as a standard robustness baseline in future reasoning-centric LLM deployments (2604.10681).