Security Boundary Testing for Large Reasoning Models: A Defensive Multi-turn Dialogue Evaluation Framework

This article introduces the attack-lrm defensive evaluation framework, which aims to help developers identify security vulnerabilities in large reasoning models under continuous questioning. The framework supports multi-turn dialogue simulation, multi-model matrix testing, structured assessment, and 70 security scenarios, providing a systematic approach for AI security evaluation.

In recent years, large reasoning models such as DeepSeek-R1 and Gemini 2.5 Flash have demonstrated strong reasoning capabilities, but they may also be used as "autonomous jailbreak agents"—gradually inducing target models to break through security boundaries through multi-turn dialogues, which is different from traditional single-turn prompt injection. This emerging threat makes systematic evaluation of model security boundaries an important topic in the AI security field.

The framework centers on defensive evaluation, with design philosophies including multi-turn dialogue simulation (up to 10 turns), multi-model matrix testing, structured assessment mechanisms, and 70 security scenarios. Core components include: Dialogue Orchestrator (manages multi-turn interaction processes), Model Adapter (supports multiple probe/target/assessment models via OpenAI-compatible APIs), Security Scenario Dataset (7 categories of scenarios), and Assessment & Metrics System (multi-dimensional scores such as robust rejection rate, strategy drift score, etc.).

The framework is applicable to: 1. Pre-release security audits of models (matrix assessment to identify risks); 2. Iterative verification of security strategies (quantify the effect of strategy changes); 3. Cross-model security benchmark comparison (generate comparable reports to assist in model selection); 4. Red team testing assistance (simulate adversarial scenarios to find weaknesses).

The framework is positioned as a defensive tool, and its use must comply with: only for authorized testing, avoid generating harmful content, protect sensitive outputs, and comply with platform policies.

Current limitations: lack of inter-rater consistency analysis, no automatic annotation of probe strategies, and no comparative experiments on direct harmful prompts. Future directions: introduce fine-grained assessment indicators, support real-time strategy analysis, and develop visual assessment report tools.

As the capabilities of large reasoning models improve, security risks are also evolving. The attack-lrm framework provides a systematic method to assess risks and help developers maintain security bottom lines. Its value lies not only in identifying problems but also in establishing continuous monitoring and improvement mechanisms, providing a technical foundation for AI security.