Search papers, labs, and topics across Lattice.
This paper conducts a comprehensive security and privacy analysis of self-evolving LLM agent systems using the Module-Lifecycle Attack Surface (MLAS) matrix, which categorizes threats across five functional modules and lifecycle stages. The analysis reveals that 17 out of 25 identified attack surface cells face critical threats that lack effective mitigation strategies, while evolution-native designs significantly increase the attack surface and persistence of adversarial influences. The findings highlight the inadequacy of static defenses against lineage-persistent attacks and the necessity for evolution-aware security frameworks in the design of self-modifying systems.
Self-evolving LLMs can amplify adversarial threats, making every known attack lineage-persistent and exposing critical vulnerabilities that static defenses can't address.
Self-evolving LLM agent systems, which autonomously update their model parameters, memory, tools, and architectures, introduce a qualitatively new threat landscape in which adversarial influences become permanently encoded, self-amplify across generations, and propagate through populations without sustained attacker access. We present a systematic security and privacy analysis organized around the Module-Lifecycle Attack Surface (MLAS) matrix, which decomposes the attack surface into five functional modules (Brain, Cognitive Resource, Execution, Self-Design, Collective) $\times$ five lifecycle stages (Bootstrap, Propose, Evaluate, Commit, Serve). Analysis of the resulting 25 cells reveals that 17 face critical threats for which no effective partial mitigation. We identify seven cross-cutting amplification effects that interact synergistically and cannot be addressed by securing individual modules in isolation. Comparative case studies of two open-source frameworks demonstrate that evolution-native design activates $3.5\times$ more attack surface cells and achieves a 100% attack persistence rate (40/40 payloads across all CIA+Privacy categories), while co-located security scanners block only 2.5% of attacks. Our findings establish that self-evolution converts every known attack category from session-bounded to lineage-persistent, gives rise to entirely new attack classes, and renders static defenses structurally inadequate, motivating evolution-aware security frameworks and formal verification for self-modifying systems.