Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities of agentic AI systems to model-guided automated attacks, particularly focusing on prompt-injection and jailbreak techniques. The authors propose a novel defense strategy called Contextual Misdirection via Progressive Engagement (CMPE), which replaces predictable refusal responses with misleading yet safe replies to confuse attackers. Results indicate that CMPE significantly lowers the attacker success rate, achieving reductions in estimated upper bounds by up to two orders of magnitude and nearly nullifying verified attack success in practical evaluations.
Conventional defenses fail against automated attacks, but a new misdirection strategy can reduce attacker success rates by two orders of magnitude.
Agentic AI systems increasingly rely on language-model components to interpret instructions, process external data, invoke tools, and coordinate with other agents. These capabilities make prompt-injection and jailbreak attacks more consequential, especially as attackers adopt model-guided automation to scale probing, prompt refinement, and response evaluation. This work analyzes the resulting attack-defense setting through a probabilistic model of a target system, its defense mechanism, and the attacker's automated judge. Our analysis shows that conventional detect-and-block defenses can allow attacker success rate (ASR) to approach one as the query budget grows, since predictable refusals provide useful feedback to automated search. We then examine detect-and-misdirect, where detected malicious interactions receive controlled, non-operational responses designed to induce false-positive errors in the attacker's judge. This strategy reduces the positive predictive value of attacker-selected candidates and yields a bounded asymptotic ASR. We evaluate a proof-of-concept realization of this strategy through Contextual Misdirection via Progressive Engagement (CMPE), a lightweight conversational misdirection method designed to replace predictable refusal text with safe but strategically misleading responses in automated jailbreak settings. On jailbreak benchmarks, CMPE reduces estimated ASR upper bounds by up to two orders of magnitude and nearly eliminates verified attack success in end-to-end PAIR and GPTFuzz attack runs.