ML Security PapersSFCoT: Safer Chain-of-Thought via Active Safety Evaluation and Calibration
Yu Pan 1, Wenlong Yu 1, Tiejun Wu 2, Xiaohu Ye 2, Qiannan Si 1, Guangquan Xu 1, Bin Wu 1
Published on arXiv
2603.15397
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Reduces jailbreak attack success rate from 58.97% to 12.31% while preserving 91.2% of base model utility on general benchmarks
SFCoT
Novel technique introduced
Large language models (LLMs) have demonstrated remarkable capabilities in complex reasoning tasks. However, they remain highly susceptible to jailbreak attacks that undermine their safety alignment. Existing defense mechanisms typically rely on post hoc filtering applied only to the final output, leaving intermediate reasoning steps unmonitored and vulnerable to adversarial manipulation. To address this gap, this paper proposes a SaFer Chain-of-Thought (SFCoT) framework, which proactively evaluates and calibrates potentially unsafe reasoning steps in real time. SFCoT incorporates a three-tier safety scoring system alongside a multi-perspective consistency verification mechanism, designed to detect potential risks throughout the reasoning process. A dynamic intervention module subsequently performs targeted calibration to redirect reasoning trajectories toward safe outcomes. Experimental results demonstrate that SFCoT reduces the attack success rate from $58.97\%$ to $12.31\%$, demonstrating it as an effective and efficient LLM safety enhancement method without a significant decline in general performance.
Key Contributions
- Three-tier safety scoring system (lexical, semantic, policy-level) for real-time evaluation of chain-of-thought reasoning steps
- Multi-perspective consistency verification mechanism to detect unsafe reasoning trajectories during intermediate steps
- Dynamic intervention module that performs targeted calibration (rewriting/truncation) to redirect unsafe reasoning toward safe outcomes