Genesis: Evolving Attack Strategies for LLM Web Agent Red-Teaming

TL;DR

Genesis introduces an evolving, agentic framework for attacking web-based LLM agents, leveraging genetic algorithms and dynamic strategy learning to improve attack success over static methods.

Contribution

The paper presents a novel framework combining genetic algorithms and dynamic strategy learning for continuous evolution of attack strategies against web LLM agents.

Findings

Outperforms existing attack baselines in various web tasks.

Discovers novel attack strategies through continuous evolution.

Effectively adapts to diverse web agent behaviors.

Abstract

As large language model (LLM) agents increasingly automate complex web tasks, they boost productivity while simultaneously introducing new security risks. However, relevant studies on web agent attacks remain limited. Existing red-teaming approaches mainly rely on manually crafted attack strategies or static models trained offline. Such methods fail to capture the underlying behavioral patterns of web agents, making it difficult to generalize across diverse environments. In web agent attacks, success requires the continuous discovery and evolution of attack strategies. To this end, we propose Genesis, a novel agentic framework composed of three modules: Attacker, Scorer, and Strategist. The Attacker generates adversarial injections by integrating the genetic algorithm with a hybrid strategy representation. The Scorer evaluates the target web agent's responses to provide feedback. The Strategist dynamically uncovers effective strategies from interaction logs and compiles them into a continuously growing strategy library, which is then re-deployed to enhance the Attacker's effectiveness. Extensive experiments across various web tasks show that our framework discovers novel strategies and consistently outperforms existing attack baselines. Our code is available at https://github.com/CjangCjengh/web_agent_attack.