Search papers, labs, and topics across Lattice.
The paper introduces ER-MIA, a framework for black-box adversarial memory injection attacks targeting the similarity-based retrieval mechanism in long-term memory-augmented LLMs. It formalizes content-based and question-targeted attack settings, using composable attack primitives and ensemble methods to achieve high success rates. Experiments across various LLMs and memory systems demonstrate the vulnerability of similarity-based retrieval, highlighting persistent security risks.
Long-term memory doesn't just expand LLMs' knowledge, it also dramatically expands their attack surface: a new black-box attack, ER-MIA, achieves high success rates injecting adversarial memories into LLMs via similarity-based retrieval.
Large language models (LLMs) are increasingly augmented with long-term memory systems to overcome finite context windows and enable persistent reasoning across interactions. However, recent research finds that LLMs become more vulnerable because memory provides extra attack surfaces. In this paper, we present the first systematic study of black-box adversarial memory injection attacks that target the similarity-based retrieval mechanism in long-term memory-augmented LLMs. We introduce ER-MIA, a unified framework that exposes this vulnerability and formalizes two realistic attack settings: content-based attacks and question-targeted attacks. In these settings, ER-MIA includes an arsenal of composable attack primitives and ensemble attacks that achieve high success rates under minimal attacker assumptions. Extensive experiments across multiple LLMs and long-term memory systems demonstrate that similarity-based retrieval constitutes a fundamental and system-level vulnerability, revealing security risks that persist across memory designs and application scenarios.
