Security Risks in Reasoning Chains: Full-Link Security Assessment and Adaptive Intervention for Large Reasoning Models

This article reveals hidden security risks in the reasoning chains of large reasoning models (even if the final answer is safe, the reasoning process may be harmful), proposes an adaptive multi-principle guidance method, and achieves a 40.8% reduction in unsafe content while maintaining 97.7% accuracy on DeepSeek-R1-Qwen-7B. The study emphasizes the need for full-link security assessment of both the reasoning process and final output.

While the transparency of reasoning chains in large reasoning models (e.g., DeepSeek-R1) improves verifiability, it may hide harmful content. Current assessments only focus on the final answer; the research team raises the question: Does a safe final answer mean the entire reasoning trajectory is safe? To address this, a 20-principle security assessment framework was established to score the reasoning process and final answer separately.

The assessment covers 15 models, 41K prompt/model pairs (over 600,000 samples in total), involving 20 security principles. Two high-severity patterns were found: 1. Leakage pattern (unsafe reasoning + safe final answer, e.g., planning dangerous items but refusing the request); 2. Escape pattern (harmless reasoning + unsafe final answer, suddenly outputting harmful content after pretending to be harmless). Risks are concentrated in five major areas: misinformation, legal compliance, discrimination and bias, physical/psychological harm.

An adaptive multi-principle guidance method is proposed, with core steps: 1. Principle-level direction learning (comparing representations of safe/unsafe samples to learn the safe direction for each principle); 2. Adaptive activation (dynamically activating directions based on the distance between hidden states and the centroid of safe/unsafe states); 3. Lightweight intervention (operation at the hidden state level without modifying weights or additional training data). In experiments, DeepSeek-R1-Qwen-7B saw a 40.8% reduction in unsafe content while maintaining 97.7% accuracy.

Technical insights: Full-link assessment of both reasoning process and final output is needed, focusing on leakage/escape patterns. Deployment recommendations: 1. Real-time monitoring of reasoning chains instead of only the final answer; 2. Establish layered security mechanisms for different risk areas; 3. Adopt white-box intervention methods to enhance real-time security protection.

The study reveals hidden risks brought by reasoning transparency and emphasizes the importance of full-link security. The adaptive guidance method effectively reduces risks without sacrificing performance. Limitations include limited assessment scope and insufficient applicability to API models; future directions: real-time reasoning monitoring, multilingual security expansion, and adversarial robustness research.