Taxonomy, Evaluation and Exploitation of IPI-Centric LLM Agent Defense Frameworks

TL;DR

This paper provides a comprehensive analysis and taxonomy of IPI-centric defense frameworks for LLM agents, evaluating their security and usability, and proposing new adaptive attacks to reveal their vulnerabilities.

Contribution

It introduces the first unified taxonomy of IPI defenses, assesses their effectiveness, and designs adaptive attacks to expose their weaknesses.

Findings

Six root causes of defense circumvention identified

Three novel adaptive attacks developed and tested

Significant vulnerabilities found in existing defenses

Abstract

Large Language Model (LLM)-based agents with function-calling capabilities are increasingly deployed, but remain vulnerable to Indirect Prompt Injection (IPI) attacks that hijack their tool calls. In response, numerous IPI-centric defense frameworks have emerged. However, these defenses are fragmented, lacking a unified taxonomy and comprehensive evaluation. In this Systematization of Knowledge (SoK), we present the first comprehensive analysis of IPI-centric defense frameworks. We introduce a comprehensive taxonomy of these defenses, classifying them along five dimensions. We then thoroughly assess the security and usability of representative defense frameworks. Through analysis of defensive failures in the assessment, we identify six root causes of defense circumvention. Based on these findings, we design three novel adaptive attacks that significantly improve attack success rates targeting specific frameworks, demonstrating the severity of the flaws in these defenses. Our paper provides a foundation and critical insights for the future development of more secure and usable IPI-centric agent defense frameworks.