Breaking Agents: Compromising Autonomous LLM Agents Through Malfunction Amplification

TL;DR

This paper uncovers vulnerabilities in autonomous LLM agents by demonstrating how maliciously induced malfunctions can cause high failure rates, emphasizing the need for better detection and mitigation strategies.

Contribution

It introduces a novel attack method targeting autonomous LLM agents, revealing significant susceptibility and proposing initial detection techniques.

Findings

Attacks can cause over 80% failure rates in various scenarios

Malfunctions are hard to detect using LLM-based self-examination

Real-world multi-agent systems are vulnerable to these attacks

Abstract

Recently, autonomous agents built on large language models (LLMs) have experienced significant development and are being deployed in real-world applications. These agents can extend the base LLM's capabilities in multiple ways. For example, a well-built agent using GPT-3.5-Turbo as its core can outperform the more advanced GPT-4 model by leveraging external components. More importantly, the usage of tools enables these systems to perform actions in the real world, moving from merely generating text to actively interacting with their environment. Given the agents' practical applications and their ability to execute consequential actions, it is crucial to assess potential vulnerabilities. Such autonomous systems can cause more severe damage than a standalone language model if compromised. While some existing research has explored harmful actions by LLM agents, our study approaches the vulnerability from a different perspective. We introduce a new type of attack that causes malfunctions by misleading the agent into executing repetitive or irrelevant actions. We conduct comprehensive evaluations using various attack methods, surfaces, and properties to pinpoint areas of susceptibility. Our experiments reveal that these attacks can induce failure rates exceeding 80\% in multiple scenarios. Through attacks on implemented and deployable agents in multi-agent scenarios, we accentuate the realistic risks associated with these vulnerabilities. To mitigate such attacks, we propose self-examination detection methods. However, our findings indicate these attacks are difficult to detect effectively using LLMs alone, highlighting the substantial risks associated with this vulnerability.