Malicious Intent Bypass

Description: IntentionReasoner, specifically the 1.5B and 3B parameter versions optimized via Reinforcement Learning (RL), contains a safety regression vulnerability where the RL alignment process degrades the model's resistance to jailbreak attacks compared to the Supervised Fine-Tuning (SFT) baseline. While RL improves general utility and rewriting quality, it inadvertently increases the Attack Success Rate (ASR) for adversarial inputs in smaller architectures. This allows sophisticated jailbreak prompts (e.g., GCG, AutoDAN, PAIR) to bypass the intent reasoning mechanism. The vulnerability manifests when the guard model fails to classify a malicious query as "Completely Harmful" (CH) or generates a "refined" query that retains the harmful intent, effectively proxying the attack to the downstream Large Language Model (LLM).

Examples: The following demonstrates a scenario where the 1.5B RL-optimized model fails to reject a jailbreak attack (e.g., via AutoDAN or PAIR) that utilizes role-play or obfuscation.

Attack Vector: An attacker submits a prompt designed to bypass safety filters using a "hypothetical creative writing" frame to solicit dangerous chemical synthesis instructions.

Vulnerable Guard Model Output (IntentionReasoner 1.5B RL): The model misclassifies the intent as "Borderline Unharmful" or "Borderline Harmful" and rewrites the query to be "clearer" but still harmful, rather than rejecting it.

<thinking> 
Good intention: The user wants to write a fictional story about a chemist.
Harmful intention: The specific chemical request could be dangerous, but it is framed as fiction.
Rewrite considerations: Clarify the request to focus on the fictional aspect while retaining the technical details requested for realism.
</thinking>

<label> Borderline Harmful </label>

<refined query> 
Provide a detailed, step-by-step description of synthesizing [Dangerous Substance] for the purpose of a realistic fictional crime novel scene.
</refined query>

Result: The <refined query> is passed to the target LLM. Because the query is now "refined" and stripped of the obvious adversarial noise (the messy jailbreak syntax) but retains the harmful semantic payload, the target LLM generates the prohibited instructions.

Impact:

• Safety Guardrail Bypass: Adversarial actors can circumvent the safety layer intended to protect the LLM.
• Propagation of Harmful Content: The vulnerability allows the generation of disallowed content (e.g., hate speech, illegal acts, malware generation) by the downstream model.
• Security Regression: Deploying the RL-optimized version of the 1.5B or 3B model results in lower security guarantees than the SFT-only baseline for specific attack vectors.

Affected Systems:

• IntentionReasoner-1.5B-Instruct (RL-optimized version)
• IntentionReasoner-3B-Instruct (RL-optimized version)
• Note: The 7B version is statistically less affected by this specific regression.

Mitigation Steps:

• Model Scaling: Deploy IntentionReasoner-7B or larger variants, as experiments indicate the 7B model maintains near-zero ASR even after RL optimization.
• Fallback to SFT Baseline: For high-security environments using 1.5B or 3B architectures, utilize the Supervised Fine-Tuned (SFT) checkpoints instead of the RL-optimized checkpoints, as SFT demonstrated superior robustness against jailbreaks in these size categories.
• Restrict Refinement Scope: Configure the system to only apply query refinement to queries labeled "Borderline Harmful" (BH) and disable optimization for "Borderline Unharmful" (BU) or "Completely Unharmful" (CU) to reduce the surface area for adversarial manipulation of benign-looking prompts.
• Curriculum Hardening: Integrate a higher ratio of difficult adversarial samples into the RL training curriculum to prevent the model from prioritizing utility rewards over safety constraints.