Despite years of intense research, the problem of defending against adversarial attacks is far from solved. Nicholas Carlini, an expert in the field, recently said⁠(opens in a new window) that “in adversarial machine learning, we wrote over 9,000 papers in ten years and got nowhere.” One reason is that, unlike other progress in AI, increasing the size of models on its own has not been sufficient to make them robust to adversarial attacks.

In a new paper, we present preliminary evidence that increasing inference-time compute—giving reasoning models more time and resources to ‘think’—can improve robustness to multiple types of attacks. This approach uses reasoning models like o1‑preview and o1‑mini, which can adapt their computation during inference. We also explore new attacks designed specifically for reasoning models like o1, as well as settings where inference-time compute does not improve robustness, and speculate on the reasons for these as well as ways to address them.

We conducted extensive experiments to assess how increasing inference-time compute in reasoning models, specifically OpenAI’s o1‑preview and o1‑mini, affects their robustness to adversarial attacks. We studied a range of tasks using both static and adaptive attack methods, measuring the probability of attack success as a function of the amount of computation used by the model at inference. We see that in many cases, this probability decays—often to near zero—as the inference-time compute grows, although significant exceptions remain (discussed below).

A typical result in the paper: The Y axis is the amount of resources of the attacker, and the X axis is the amount of inference-time compute. We see that as the attacker’s resources grow, so does its success probability. But for every fixed amount of attacker’s resources, the probability of success decays as the model is spending more compute at inference time.