Search papers, labs, and topics across Lattice.
The paper introduces Evo-Attacker, a novel reinforcement learning framework for generating long-horizon tool attacks on LLM-based multi-agent systems by exploiting the implicit trust in tool outputs. Evo-Attacker uses a dynamic attack memory and deliberative reasoning to retrieve and modify adversarial patterns, coupled with Attack-Flow GRPO to address credit assignment in long sequences. Experiments show Evo-Attacker significantly outperforms existing methods, demonstrating its ability to generalize and evolve attacks, thus exposing vulnerabilities in current LLM-MAS.
LLM-based multi-agent systems are surprisingly vulnerable: a new RL-based attacker can evolve sophisticated, long-horizon attacks by exploiting trust in external tools.
While Large Language Model-based Multi-Agent Systems (LLM-MAS) demonstrate remarkable capabilities in solving complex tasks by orchestrating specialized agents and external tools, the implicit trust in tool outputs creates a critical attack surface. Existing tool attacks are limited by domain specificity or fixed and static templates. To address these challenges, we propose Evo-Attacker, which formulates the tool attack as a self-evolving, memory-augmented reinforcement learning process. Evo-Attacker constructs a dynamic attack memory and employs deliberative reasoning to retrieve adversarial patterns and strategize modifying interventions at critical moments. Furthermore, we introduce Attack-Flow GRPO to optimize intermediate reasoning steps via terminal outcomes, addressing the long-horizon credit assignment challenge. Comprehensive experiments demonstrate that Evo-Attacker consistently outperforms baselines, highlighting its generalization and evolutionary capabilities and the urgent need for defensive tool safeguards.
