DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-based Agent

TL;DR

This paper introduces DemonAgent, a novel backdoor attack on LLM-based agents that uses dynamic encryption and multi-fragmentation to evade safety audits with nearly 100% success and zero detection.

Contribution

It presents a new backdoor implantation method combining dynamic encryption and sub-backdoor decomposition to bypass safety audits in LLM agents.

Findings

Achieves near 100% attack success rate.

Maintains 0% detection rate by safety audits.

Highlights vulnerabilities in current safety mechanisms.

Abstract

As LLM-based agents become increasingly prevalent, backdoors can be implanted into agents through user queries or environment feedback, raising critical concerns regarding safety vulnerabilities. However, backdoor attacks are typically detectable by safety audits that analyze the reasoning process of agents. To this end, we propose a novel backdoor implantation strategy called \textbf{Dynamically Encrypted Multi-Backdoor Implantation Attack}. Specifically, we introduce dynamic encryption, which maps the backdoor into benign content, effectively circumventing safety audits. To enhance stealthiness, we further decompose the backdoor into multiple sub-backdoor fragments. Based on these advancements, backdoors are allowed to bypass safety audits significantly. Additionally, we present AgentBackdoorEval, a dataset designed for the comprehensive evaluation of agent backdoor attacks. Experimental results across multiple datasets demonstrate that our method achieves an attack success rate nearing 100\% while maintaining a detection rate of 0\%, illustrating its effectiveness in evading safety audits. Our findings highlight the limitations of existing safety mechanisms in detecting advanced attacks, underscoring the urgent need for more robust defenses against backdoor threats. Code and data are available at https://github.com/whfeLingYu/DemonAgent.