STAR: Detecting Inference-time Backdoors in LLM Reasoning via State-Transition Amplification Ratio

Recent LLMs increasingly integrate reasoning mechanisms like Chain-of-Thought (CoT). However, this explicit reasoning exposes a new attack surface for inference-time backdoors, which inject malicious reasoning paths without altering model parameters. Because these attacks generate linguistically coherent paths, they effectively evade conventional detection. To address this, we propose STAR (State-Transition Amplification Ratio), a framework that detects backdoors by analyzing output probability shifts. STAR exploits the statistical discrepancy where a malicious input-induced path exhibits high posterior probability despite a low prior probability in the model's general knowledge. We quantify this state-transition amplification and employ the CUSUM algorithm to detect persistent anomalies. Experiments across diverse models (8B-70B) and five benchmark datasets demonstrate that STAR exhibits robust generalization capabilities, consistently achieving near-perfect performance (AUROC $\approx$ 1.0) with approximately $42\times$ greater efficiency than existing baselines. Furthermore, the framework proves robust against adaptive attacks attempting to bypass detection.

Key Contributions

• STAR framework that detects inference-time LLM backdoors by measuring the State-Transition Amplification Ratio — the statistical discrepancy between low prior probability and high posterior probability of malicious reasoning paths
• Application of the CUSUM algorithm to identify persistent anomalies in output probability shifts, achieving near-perfect AUROC ≈ 1.0 with inference latency under 0.5 seconds
• Comprehensive evaluation across 8B–70B models and five benchmark datasets, including robustness against adaptive adversarial bypass attempts

🛡️ Threat Analysis

Details

Similar Papers