RAS-Eval: A Comprehensive Benchmark for Security Evaluation of LLM Agents in Real-World Environments

TL;DR

RAS-Eval is a comprehensive benchmark designed to evaluate the security vulnerabilities of LLM agents in real-world environments, revealing significant risks and guiding future security improvements.

Contribution

Introduces RAS-Eval, a standardized, extensive security benchmark for LLM agents, including diverse test cases and attack scenarios across multiple CWE categories.

Findings

Scaling laws apply to security capabilities, with larger models being more robust.

Attacks significantly reduce agent task completion rates, averaging a 36.78% decrease.

High attack success rate of 85.65% in academic settings.

Abstract

The rapid deployment of Large language model (LLM) agents in critical domains like healthcare and finance necessitates robust security frameworks. To address the absence of standardized evaluation benchmarks for these agents in dynamic environments, we introduce RAS-Eval, a comprehensive security benchmark supporting both simulated and real-world tool execution. RAS-Eval comprises 80 test cases and 3,802 attack tasks mapped to 11 Common Weakness Enumeration (CWE) categories, with tools implemented in JSON, LangGraph, and Model Context Protocol (MCP) formats. We evaluate 6 state-of-the-art LLMs across diverse scenarios, revealing significant vulnerabilities: attacks reduced agent task completion rates (TCR) by 36.78% on average and achieved an 85.65% success rate in academic settings. Notably, scaling laws held for security capabilities, with larger models outperforming smaller counterparts. Our findings expose critical risks in real-world agent deployments and provide a foundational framework for future security research. Code and data are available at https://github.com/lanzer-tree/RAS-Eval.