ADAM: A Systematic Data Extraction Attack on Agent Memory via Adaptive Querying

TL;DR

This paper introduces ADAM, a novel attack method that significantly improves privacy leakage success rates in LLM agents' memory modules by using adaptive querying and data distribution estimation.

Contribution

ADAM is the first attack to combine data distribution estimation with entropy-guided querying, achieving near-perfect success rates in leaking sensitive memory data.

Findings

ADAM achieves up to 100% attack success rate.

It outperforms existing state-of-the-art attacks.

The results highlight urgent privacy concerns in LLM agents.

Abstract

Large Language Model (LLM) agents have achieved rapid adoption and demonstrated remarkable capabilities across a wide range of applications. To improve reasoning and task execution, modern LLM agents would incorporate memory modules or retrieval-augmented generation (RAG) mechanisms, enabling them to further leverage prior interactions or external knowledge. However, such a design also introduces a group of critical privacy vulnerabilities: sensitive information stored in memory can be leaked through query-based attacks. Although feasible, existing attacks often achieve only limited performance, with low attack success rates (ASR). In this paper, we propose ADAM, a novel privacy attack that features data distribution estimation of a victim agent's memory and employs an entropy-guided query strategy for maximizing privacy leakage. Extensive experiments demonstrate that our attack substantially outperforms state-of-the-art ones, achieving up to 100% ASRs. These results thus underscore the urgent need for robust privacy-preserving methods for current LLM agents.