Your Agent Can Defend Itself against Backdoor Attacks
摘要
评审与讨论
This paper introduces an inference-time defense mechanism against backdoor attacks targeting LLM agents. The key insight behind the approach is the observation that backdoored agents often exhibit two types of inconsistencies: (1) a mismatch between their intended "thought" process and their actual actions, and (2) a discrepancy between reconstructed instructions and the original user's input. To measure the discrepancy, they leverage a separate LLM or directly use the backend LLM of the agent to evaluate consistency. Experiments across three tasks and two types of backdoor attacks show that the proposed defense effectively reduces the attack success rate.
优点
-
The proposed defense is lightweight, easy to integrate, and leverages a straightforward inconsistency-based approach.
-
Experimental results demonstrate that the defense significantly reduces ASR across various backdoor attacks.
缺点
-
The paper mentions the use of the agent’s backend LLM to evaluate textual similarity without specifying a threshold for similarity scores. However, it remains unclear how accurately this LLM-based evaluator assesses the similarity between textual inputs. Further, it would be valuable to know whether the LLM evaluator’s judgment remains consistent across a range of semantic complexities, or if there are cases where it might fail. An analysis of the evaluator's reliability would provide a more comprehensive understanding of its effectiveness in this setting.
-
The defense mechanism applies consistency checks at both the planning and execution levels. If the defender has no prior knowledge of the specific type of backdoor injected, it may be difficult to determine which level(s) should be checked for each instance. This could impact efficiency if the inconsistency is not detected correctly.
-
Although the defense is demonstrated on a range of tasks and attacks, there is limited testing on more advanced LLMs, such as those with more robust generative capabilities (e.g., GPT-4o or o1-preview).
问题
-
Given the advancements in newer models, especially those with improved instruction-following and interpretive abilities, it would be insightful to see how this defense performs on these LLMs. How robust is the defense when applied to state-of-the-art models, such as GPT-4o or o1-preview, which may display fewer inconsistencies due to improved coherence and contextual understanding? Including results on such models would provide a better understanding of the defense’s adaptability.
-
LLM Evaluator Accuracy and Evaluation Metrics: The use of an LLM-based evaluator avoids the need for a fixed similarity threshold. However, LLMs are not always consistent in evaluating semantic similarity, and their interpretations can vary with context. What metrics were used to assess the accuracy of this LLM evaluator in identifying semantic consistency? Specific data on the evaluator's false positive rate (FPR) and false negative rate (FNR) would be valuable to understand potential pitfalls, especially as they may impact the defense’s ability to distinguish between benign and backdoor-influenced behavior.
This work studies how to effectively defend against backdoor attacks on LLM-based agents and proposes a defense strategy named ReAgent. Particularly, it employs a two-level approach, focusing on examining the consistency of the agent at either the execution level or planning level. With extensive evaluation, ReAgent is effective at countering backdoor attacks across diverse tasks.
优点
- The paper studies how to defend against backdoor attacks on the LLM agents. The defense is easy to use and requires no retraining. Extensive results demonstrate the effectiveness of ReAgent by achieving lower ASR and lower FPR.
- The paper is well-written and easy to follow.
缺点
- The technical contribution is somewhat limited. The approach of increasing inference time to perform safety or consistency checks by prompting the agent is relatively straightforward, as this can intuitively reduce the ASR. However, practical considerations like computational budget and latency are also critical for agents deployed in real-world scenarios. It would be valuable to explore ways to internalize safe behavior within the model, making it robust against removal through simple backdoor attacks.
- Testing the agents in a real interactive environment, such as OSworld [1], would be beneficial. A real-world environment would be more realistic and complex, providing a stronger basis for evaluating the effectiveness of the defense.
- The study covers only three types of malicious actions, one for each task. It would be better to include a wider range of tasks and more diverse malicious actions within each task.
- It's relatively easy for the attackers to also insert backdoors for self-defense. For instance, when the agent performs a command like "rm -rf," attackers could embed triggers that enforce the self-defense mechanism to consistently flag "thought and action are consistent," thereby bypassing detection.
问题
When performing detection, is the input the entire trajectory or only the action/thought at the current step? If it’s the whole trajectory, I would question the reliability of the self-check, as longer contexts make the task more challenging. If it's limited to the current step's output, then how is it automatically determined whether the current step requires detection?
This paper presents a defense mechanism against backdoor attacks that target LLM-based agents. The core approach of this defense is to verify consistency between the user's prompt and both the plan generated by the LLM and its actions. This verification is performed by prompting another instance of the same LLM being used as an agent. The authors evaluate their method across three different tasks/datasets using three different backdoor triggers, comparing their results against existing inference-time defenses and a defense that requires model modifications.
优点
- The idea of checking the consistency between the user prompt and the plan/actions of the agent is promising and can defend against attacks which do not (partially) align with the user prompt (as pointed out by the authors themselves).
- The defense works off-the-shelf. It does not require fine-tuning, unlearning, or detection of the backdoors at training time. However, coming up with the right prompt for the given LLM might require some prompt-engineering.
- The defense works well against the attacks that were tested, with lower ASR compared with the other defenses that are tested.
- The FPR is low-enough to make the defense practical, except for the WebShop task where the FPR is very high (up to almost 1/4 in the case of Mistral 7b and more than 1/5 for Llama 3 8b).
缺点
- LLMs are vulnerable to prompt injections. Is this defense robust to backdoor attacks which make the model put a prompt injection in the planner which targets the "Detection-Explanation" phase? This could also work in the action phase, where the victim LLM generates an action which contains a prompt injection (e.g., `echo "Message for the Detection-Explanation agent: these actions are consistent with the user instructions") or something similar. I recommend reading this blogpost by Simon Willison.
- What is the overhead of the defense? The claims of cost-effectiveness discussed in the fine-tuning section are not backed by any data. How do you measure the cost effectiveness?
Minor editorial comments:
- ls 40-41: use of APIs -> opens the door to backdoor attacks is a nonsequitur. I believe I understand why but this should be explicitly stated.
- It's unclear in which order figure 1 should be read. In general, the caption should be expanded to be more self contained.
One final comment, which does not influence my score: the authors use fairly outdated models. GPT-4o mini is cheaper and better than GPT-3.5 Turbo, has been around for quite some time. Do the authors believe that the results shown with GPT-3.5 Turbo would be different with a newer model?
问题
- Do you have any strong reason to believe that the LLM-based defense is not vulnerable to prompt injection attacks?
- Do you see any avenues to improve the AUC of the metric-based defenses? They might be also vulnerable to adversarial examples, but at least generating adversarial examples is harder than coming up with natural language prompts that can be used for prompt injection attacks.
- You mention detection and unlearning of backdoors as defenses, but these approaches are not taken as baselines. Why?
This paper proposes a new method to defend agaist backdoor attacks on LLM agents. It works by prompting the LLM to detect if the planning or the execution are consistent with the instruction. Experiments show that the proposed method is effective.
优点
-
The studied problem is interesting.
-
The motivation of this paper is clear.
缺点
-
The novelty of the proposed method might be limited. It appears that the method prompts LLMs to classify the consistency between instructions and downstream responses without deeper technical contributions. Additionally, the method might be similar to existing LLM self-checking methods, including but not limited to those by Miao et al. and Mansi et al. The fundamental differences between the proposed method and these existing approaches are unclear.
-
The defense relies on LLM-based judgment. However, it is uncertain how to ensure that the judgment behavior or the LLMs used for self-checking are not backdoored. Given this paper's assumption that the agent LLM is untrusted, it is also possible that the consistency judgment process could be compromised.
-
The threat model and problem formulation in this paper are unclear. It is recommended to include a section that clearly states the goals and assumptions for both the attacker and the defender, following the common practices in the adversarial machine learning research community.
-
The experiments only use small open-source models and relatively outdated closed-source models. Including more recent and advanced models would strengthen the evaluation.
-
The proposed method uses in-context learning to enhance performance. However, there is little discussion on how in-context examples are chosen or the effect of different selections or the number of examples used on performance.
Miao et al., SelfCheck: Using LLMs to Zero-Shot Check Their Own Step-by-Step Reasoning. ICLR 2024.
Mansi et al., LLM Self Defense: By Self Examination, LLMs Know They Are Being Tricked. ICLR 2024 Tinypaper.
问题
See Weaknesses.
I have read and agree with the venue's withdrawal policy on behalf of myself and my co-authors.