Agents Under Siege: Breaking Pragmatic Multi-Agent LLM Systems with Optimized Prompt Attacks (2025.acl-long)
Copied to clipboard
| Challenge: | Multi-agent LLMs are prone to adversarial attacks because of constraints such as limited token bandwidth and latency between message delivery. |
| Approach: | They propose a permutation-invariant adversarial attack that optimizes prompt distribution across latency and bandwidth constraints to bypass distributed safety mechanisms within the system. |
| Outcome: | The proposed method outperforms conventional attacks by up to 7 on multiple models. |
Similar Papers
Conjunctive Prompt Attacks in Multi-Agent LLM Systems (2026.acl-long)
Copied to clipboard
| Challenge: | Existing defenses do not reliably stop the attack because no single component appears malicious in isolation. |
| Approach: | They study conjunctive prompt attacks where trigger key and adversarial template appear benign alone but activate harmful behavior when routing brings them together. |
| Outcome: | The proposed model significantly improves performance over baselines while keeping false activations low. |
Defending Jailbreak Prompts via In-Context Adversarial Game (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) demonstrate remarkable capabilities across diverse applications, but concerns regarding their security persist. |
| Approach: | They propose an adversarial game that leverages agent learning to extend knowledge to defend against jailbreaks. |
| Outcome: | The proposed game shows that LLMs safeguarded by ICAG exhibit significantly reduced jailbreak success rates across various attack scenarios. |
Red-Teaming LLM Multi-Agent Systems via Communication Attacks (2025.findings-acl)
Copied to clipboard
| Challenge: | Large Language Model-based Multi-Agent Systems (LLM-MAS) have revolutionized complex problem-solving capability by enabling agent collaboration through message-based communications. |
| Approach: | They propose an attack that exploits communication mechanisms in Large Language Model-based Multi-Agent Systems (LLM-MAS) by intercepting and manipulating inter-agent messages. |
| Outcome: | The proposed attack exploits communication mechanisms in large language model-based multi-agent systems by intercepting and manipulating inter-agencies. |
The TIP of the Iceberg: Revealing a Hidden Class of Task-in-Prompt Adversarial Attacks on LLMs (2025.acl-long)
Copied to clipboard
| Challenge: | cipher decoding, riddles, code execution embedded into model prompts bypass safety safeguards of large language models (LLMs) . |
| Approach: | They introduce a novel class of adversarial jailbreak adversarials on large language models, termed Task-in-Prompt (TIP) attacks. |
| Outcome: | The proposed techniques circumvent safeguards in six state-of-the-art language models, including GPT-4o and LLaMA 3.2, and consistently generate restricted content . |
Are My Optimized Prompts Compromised? Exploring Vulnerabilities of LLM-based Optimizers (2026.eacl-long)
Copied to clipboard
| Challenge: | Recent studies have focused on poisoning during supervised fine-tuning, RLHF, or inference-time time optimization. |
| Approach: | They propose a simple fake reward attack that requires no access to the reward model and significantly increases vulnerability. |
| Outcome: | The proposed attack reduces the fake reward ASR from 0.23 to 0.07 without degrading utility. |
Iterative Self-Tuning LLMs for Enhanced Jailbreaking Capabilities (2025.naacl-long)
Copied to clipboard
Chung-En Sun, Xiaodong Liu, Weiwei Yang, Tsui-Wei Weng, Hao Cheng, Aidan San, Michel Galley, Jianfeng Gao
| Challenge: | Recent research shows that Large Language Models (LLMs) are vulnerable to automated jailbreak attacks. |
| Approach: | They propose a framework that crafts adversarial LLMs with enhanced jailbreak ability. |
| Outcome: | ADV-LLM significantly reduces the computational cost of generating adversarial suffixes while achieving nearly 100% ASR on various open-source LLMs. |
TAMAS: Benchmarking Adversarial Risks in Multi-Agent LLM Systems (2026.acl-long)
Copied to clipboard
| Challenge: | Existing benchmarks and datasets focus on single-agent settings, failing to capture the unique vulnerabilities of multi-agend LLM dynamics and co-ordination. |
| Approach: | They propose a benchmark to evaluate the robustness and safety of multi-agent LLM systems. |
| Outcome: | The proposed benchmark evaluates the robustness and safety of multi-agent LLM systems. |
Breaking Agents: Compromising Autonomous LLM Agents Through Malfunction Amplification (2025.emnlp-main)
Copied to clipboard
| Challenge: | Recent advances in large language models (LLMs) have increased the vulnerability of LLMs, but they can cause more severe damage than standalone systems if compromised. |
| Approach: | They propose a new type of attack that induces malfunctions by misleading the agent into executing repetitive or irrelevant actions. |
| Outcome: | The proposed attacks induce failure rates exceeding 80% in multiple scenarios, highlighting the substantial risks associated with this vulnerability. |
Defending Large Language Models Against Jailbreak Attacks via Layer-specific Editing (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Existing defense methods focus on detecting harmful prompts or reducing the likelihood of harmful responses. |
| Approach: | They propose a layer-specific editing method to align LLMs to harmful prompts by supervised fine-tuning and reinforcement learning. |
| Outcome: | The proposed method improves the performance of large language models against jailbreak attacks while maintaining performance on benign prompts. |
Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs Through a Global Prompt Hacking Competition (2023.emnlp-main)
Copied to clipboard
Sander Schulhoff, Jeremy Pinto, Anaum Khan, Louis-François Bouchard, Chenglei Si, Svetlina Anati, Valen Tagliabue, Anson Kost, Christopher Carnahan, Jordan Boyd-Graber
| Challenge: | Large Language Models are increasingly being deployed in interactive contexts that involve direct user engagement. |
| Approach: | They run a global prompt hacking competition to encourage research on prompt hacks . they elicit 600K+ adversarial prompts against three state-of-the-art LLMs based on a dataset . |
| Outcome: | The results of the competition show that current LLMs can be manipulated via prompt hacking . the competition elicits 600K+ adversarial prompts against three state-of-the-art LLM models . |