UNSEEN: A Cross-Stack LLM Unlearning Defense against AR-LLM Social Engineering Attacks

TL;DR

UNSEEN is a cross-stack defense framework against AR-LLM social engineering attacks, combining access control, LLM unlearning, and interaction guardrails to mitigate threats in augmented reality environments.

Contribution

The paper introduces UNSEEN, a novel multi-layered defense system addressing technical challenges in securing AR-LLM ecosystems against social engineering threats.

Findings

UNSEEN effectively suppresses sensitive profile information in LLMs.

The system demonstrates resilience against social engineering in user studies.

Evaluation shows improved security without compromising user experience.

Abstract

Emerging AR-LLM-based Social Engineering attack (e.g., SEAR) is at the edge of posing great threats to real-world social life. In such AR-LLM-SE attack, the attacker can leverage AR (Augmented Reality) glass to capture the image and vocal information of the target, using the LLM to identify the target and generate the social profile, using the LLM agents to apply social engineering strategies for conversation suggestion to win the target trust and perform phishing afterwards. Current defensive approaches, such as role-based access control or data flow tracking, are not directly applicable to the convergent AR-LLM ecosystem (considering embedded AR device and opaque LLM inference), leaving an emerging and potent social engineering threat that existing privacy paradigms are ill-equipped to address. This necessitates a shift beyond solely human-centric measures like legislation and user education toward enforceable vendor policies and platform-level restrictions. Realizing this vision, however, faces significant technical challenges: securing resource-constrained AR-embedded devices, implementing fine-grained access control within opaque LLM inferences, and governing adaptive interactive agents. To address these challenges, we present UNSEEN, a coordinated cross-stack defense that combines an AR ACL (Access Control Layer) for identity-gated sensing, F-RMU-based LLM unlearning for sensitive profile suppression, and runtime agent guardrails for adaptive interaction control. We evaluate UNSEEN in an IRB-approved user study with 60 participants and a dataset of 360 annotated conversations across realistic social scenarios.