惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

OpenAI News

Using custom GPTs ChatGPT for customer success teams Applications of AI at OpenAI Research with ChatGPT Analyzing data with ChatGPT Financial services Responsible and safe use of AI Writing with ChatGPT ChatGPT for research Creating images with ChatGPT Personalizing ChatGPT ChatGPT for finance teams Getting started with ChatGPT Working with files in ChatGPT ChatGPT for sales teams Prompting fundamentals ChatGPT for managers Using projects in ChatGPT ChatGPT for marketing teams Brainstorming with ChatGPT AI fundamentals ChatGPT for operations teams Healthcare Our response to the Axios developer tool compromise Using skills OpenAI Full Fan Mode Contest: Terms & Conditions CyberAgent moves faster with ChatGPT Enterprise and Codex The next phase of enterprise AI Introducing the Child Safety Blueprint Introducing the OpenAI Safety Fellowship Industrial policy for the Intelligence Age OpenAI acquires TBPN Codex now offers more flexible pricing for teams Gradient Labs gives every bank customer an AI account manager OpenAI raises $122 billion to accelerate the next phase of AI Helping disaster response teams turn AI into action across Asia STADLER reshapes knowledge work at a 230-year-old company Inside our approach to the Model Spec Introducing the OpenAI Safety Bug Bounty program Helping developers build safer AI experiences for teens Update on the OpenAI Foundation Powering Product Discovery in ChatGPT Creating with Sora Safely How we monitor internal coding agents for misalignment OpenAI to acquire Astral Introducing GPT-5.4 mini and nano OpenAI Japan announces Japan Teen Safety Blueprint to put teen safety first Equipping workers with insights about compensation Why Codex Security Doesn’t Include a SAST Report Designing AI agents to resist prompt injection From model to agent: Equipping the Responses API with a computer environment Rakuten fixes issues twice as fast with Codex Wayfair boosts catalog accuracy and support speed with OpenAI Improving instruction hierarchy in frontier LLMs New ways to learn math and science in ChatGPT OpenAI to acquire Promptfoo Codex Security: now in research preview How Descript engineers multilingual video dubbing at scale How Balyasny Asset Management built an AI research engine Reasoning models struggle to control their chains of thought, and that’s good Introducing GPT-5.4 GPT-5.4 Thinking System Card Ensuring AI use in education leads to opportunity VfL Wolfsburg turns ChatGPT into a club-wide capability OpenAI and NORAD team up to bring new magic to “NORAD Tracks Santa” Accenture and OpenAI accelerate enterprise AI success OpenAI takes an ownership stake in Thrive Holdings to accelerate enterprise AI adoption What to know about a recent Mixpanel security incident Expanding data residency access to business customers worldwide Our approach to mental health-related litigation Inside JetBrains—the company reshaping how the world writes code Introducing shopping research in ChatGPT How GPT-5 helped mathematician Ernest Ryu solve a 40-year-old open problem OpenAI and Foxconn collaborate to strengthen U.S. manufacturing across the AI supply chain Disrupting malicious uses of AI: June 2025 Creating websites in minutes with AI Website Builder Addendum to OpenAI o3 and o4-mini system card: OpenAI o3 Operator OpenAI Deutschland Shipping code faster with o3, o4-mini, and GPT-4.1 Introducing Stargate UAE New tools and features in the Responses API Introducing Codex Addendum to o3 and o4-mini system card: Codex AI powers Expedia’s marketing evolution Strengthening America’s AI leadership with the U.S. National Laboratories Introducing ChatGPT Gov Operator System Card Computer-Using Agent Introducing Operator Bertelsmann powers creativity and productivity with OpenAI Announcing The Stargate Project Stargate Infrastructure The power of personalized AI Delivering LLM-powered health solutions Increasing accuracy of pediatric visit notes Practices for Governing Agentic AI Systems Superalignment Fast Grants Weak-to-strong generalization Partnership with Axel Springer to deepen beneficial use of AI in journalism Sam Altman returns as CEO, OpenAI has a new initial board
Trading Inference-Time Compute for Adversarial Robustness
2025-01-22 · via OpenAI News
OpenAI

Initial evidence that reasoning models such as o1 become more robust to adversarial attacks as they think for longer.

Robustness to adversarial attacks(opens in a new window) has been one of the thorns in AI’s side for more than a decade. In 2014, researchers showed(opens in a new window) that imperceptible perturbations—subtle alterations undetectable to the human eye—can cause models to misclassify images, illustrating one example of a model’s vulnerability to adversarial attacks. Addressing this weakness has become more urgent as models are being used for high stakes applications and acting as agents that can browse the web and take actions on behalf of their users.

Despite years of intense research, the problem of defending against adversarial attacks is far from solved. Nicholas Carlini, an expert in the field, recently said(opens in a new window) that “in adversarial machine learning, we wrote over 9,000 papers in ten years and got nowhere.” One reason is that, unlike other progress in AI, increasing the size of models on its own has not been sufficient to make them robust to adversarial attacks. 

In a new paper, we present preliminary evidence that increasing inference-time compute—giving reasoning models more time and resources to ‘think’—can improve robustness to multiple types of attacks. This approach uses reasoning models like o1‑preview and o1‑mini, which can adapt their computation during inference.  We also explore new attacks designed specifically for reasoning models like o1, as well as settings where inference-time compute does not improve robustness, and speculate on the reasons for these as well as ways to address them.

We conducted extensive experiments to assess how increasing inference-time compute in reasoning models,  specifically OpenAI’s o1‑preview and o1‑mini, affects their robustness to adversarial attacks. We studied  a range of tasks using both static and adaptive attack methods, measuring the probability of attack success as a function of the amount of computation used by the model at inference. We see that in many cases, this probability decays—often to near zero—as the inference-time compute grows, although significant exceptions remain (discussed below).

To study the relationship between adversarial robustness (as measured by attacker resources) and test-time compute, we considered a number of different types of tasks. These include:

  1. Mathematical tasks, including very simple ones such as adding or multiplying two numbers, as well as more sophisticated ones such as MATH(opens in a new window). For each such task, we considered a number of “goals” by the adversary: get the model to output 42 instead of the correct answer, get the model to output the correct answer plus one, or get the model to output the correct answer times seven.
  2. Adversarial version of the SimpleQA factuality benchmark. This is a dataset of questions that were chosen to be hard for models to resolve without browsing, and we simulated injection of adversarial prompts in the browsed web pages.
  3. Adversarial images from the Attack Bard(opens in a new window) paper.
  4. Misuse prompts from the StrongREJECT(opens in a new window) benchmarks. These are prompts that the model should not comply with, but the attacker’s goal is to get the model to do so.
  5. An internal evaluation for following one of the rules in our model spec.

We considered a number of “attack surfaces” for the adversary, including: 

  1. The “many shot” attack (see Anthropic 2024(opens in a new window)) where a number of “bad” input/output examples are provided by the adversary.
  2. Optimizing soft tokens (arbitrary embedding vectors) to achieve the adversary’s goal.
  3. An adversarial language model program (LMP)--that is, a structured program incorporating language models in its control flow–that does “AI red teaming”
  4. Adversarial multi modal inputs.

Note that, not all attacks have been used on all datasets; please refer to the paper for details.

In many of these cases, we see that the adversary’s success probability decreases as the amount of inference-time compute increases. We stress that unlike the typical approach of “adversarial training,” the model is not aware of the nature of the attack and hence the improved robustness is solely due to improving inference-time compute. This suggests that inference-time scaling could be useful for tackling even unforeseen attacks.

There are cases where (at least so far) inference-time compute does not improve robustness:

  1. In some cases, we see that initially the adversary's success increases with the defender’s inference-time compute and later decreases. We believe this is because the defender needs a minimum amount of test-time compute to achieve the attacker’s goal (e.g. to respond with one plus the correct answer, it must be able to solve the math problem).
  2. More importantly, there are cases where the attack’s success does not decay as we give the defender more inference-time compute. This is especially evident on the StrongREJECT benchmark with the LMP attack. Some of the prompts in this benchmark request information that is not prohibited in all circumstances, and so the LMP can find contexts in which the specification-compliant response is to provide this information. See Figure 10 in the paper for an example.
  3. Our ability to control the model’s test-time compute usage is not perfect. We see that the attacker can sometimes fool the model into not thinking or using its inference-time compute unproductively. For this paper we did not explore teaching the model to use its allotted compute “wisely” and simply did the most naive thing; we think this is a promising area of research to improve adversarial robustness.

See the paper for additional discussions of limitations and open questions.

Overall, we view this work as a promising sign for the power of inference-time compute for adversarial robustness. As we discuss in the paper, there is more work to be done to turn this promise into reality and we are excited to make it happen!