MemPot: Defending Against Memory Extraction Attack with Optimized Honeypots

TL;DR

MemPot introduces an optimized honeypot framework to defend LLM-based agents against memory extraction attacks, improving detection accuracy without impacting performance.

Contribution

It is the first to theoretically verify and empirically demonstrate a honeypot-based defense against memory extraction in LLMs, with optimized trap document generation.

Findings

50% improvement in detection AUROC

80% increase in True Positive Rate under low FPR

Zero additional online inference latency

Abstract

Large Language Model (LLM)-based agents employ external and internal memory systems to handle complex, goal-oriented tasks, yet this exposes them to severe extraction attacks, and effective defenses remain lacking. In this paper, we propose MemPot, the first theoretically verified defense framework against memory extraction attacks by injecting optimized honeypots into the memory. Through a two-stage optimization process, MemPot generates trap documents that maximize the retrieval probability for attackers while remaining inconspicuous to benign users. We model the detection process as Wald's Sequential Probability Ratio Test (SPRT) and theoretically prove that MemPot achieves a lower average number of sampling rounds compared to optimal static detectors. Empirically, MemPot significantly outperforms state-of-the-art baselines, achieving a 50% improvement in detection AUROC and an 80% increase in True Positive Rate under low False Positive Rate constraints. Furthermore, our experiments confirm that MemPot incurs zero additional online inference latency and preserves the agent's utility on standard tasks, verifying its superiority in safety, harmlessness, and efficiency.