Where Do LLM-based Systems Break? A System-Level Security Framework for Risk Assessment and Treatment

TL;DR

This paper presents a comprehensive system-level security framework for assessing and mitigating risks in LLM-based systems, integrating system modeling with attack trees and vulnerability scoring, demonstrated through a healthcare case study.

Contribution

It introduces a goal-driven risk assessment framework combining system modeling, attack-defense trees, and vulnerability scoring for LLM systems, with a practical healthcare case study.

Findings

Threats often consolidate into few dominant attack paths

Targeted defenses can significantly reduce exploitability

The framework is domain-agnostic and applicable to critical systems

Abstract

Large Language Models (LLMs) are increasingly integrated into safety-critical workflows, yet existing security analyses remain fragmented and often isolate model behavior from the broader system context. This work introduces a goal-driven risk assessment framework for LLM-powered systems that combines system modeling with Attack-Defense Trees (ADTrees) and Common Vulnerability Scoring System (CVSS)-based exploitability scoring to support structured, comparable analysis. We demonstrate the framework through a healthcare case study, modeling multi-step attack paths targeting intervention in medical procedures, leakage of electronic health record (EHR) data, and disruption of service availability. Our analysis indicates that threats spanning (i) conventional cyber, (ii) adversarial ML, and (iii) conversational attacks that manipulate prompts or context often consolidate into a small number of dominant paths and shared system choke points, enabling targeted defenses to yield meaningful reductions in path exploitability. By systematically comparing defense portfolios, we align these risks with established vulnerability management practices and provide a domain-agnostic workflow applicable to other LLM-enabled critical systems.