Saved in:
Bibliographic Details
Main Authors: Dong, Shen, Xu, Shaochen, He, Pengfei, Li, Yige, Tang, Jiliang, Liu, Tianming, Liu, Hui, Xiang, Zhen
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2503.03704
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912901087887360
author Dong, Shen
Xu, Shaochen
He, Pengfei
Li, Yige
Tang, Jiliang
Liu, Tianming
Liu, Hui
Xiang, Zhen
author_facet Dong, Shen
Xu, Shaochen
He, Pengfei
Li, Yige
Tang, Jiliang
Liu, Tianming
Liu, Hui
Xiang, Zhen
contents Agents powered by large language models (LLMs) have demonstrated strong capabilities in a wide range of complex, real-world applications. However, LLM agents with a compromised memory bank may easily produce harmful outputs when the past records retrieved for demonstration are malicious. In this paper, we propose a novel Memory INJection Attack, MINJA, without assuming that the attacker can directly modify the memory bank of the agent. The attacker injects malicious records into the memory bank by only interacting with the agent via queries and output observations. These malicious records are designed to elicit a sequence of malicious reasoning steps corresponding to a different target query during the agent's execution of the victim user's query. Specifically, we introduce a sequence of bridging steps to link victim queries to the malicious reasoning steps. During the memory injection, we propose an indication prompt that guides the agent to autonomously generate similar bridging steps, with a progressive shortening strategy that gradually removes the indication prompt, such that the malicious record will be easily retrieved when processing later victim queries. Our extensive experiments across diverse agents demonstrate the effectiveness of MINJA in compromising agent memory. With minimal requirements for execution, MINJA enables any user to influence agent memory, highlighting the risk.
format Preprint
id arxiv_https___arxiv_org_abs_2503_03704
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Memory Injection Attacks on LLM Agents via Query-Only Interaction
Dong, Shen
Xu, Shaochen
He, Pengfei
Li, Yige
Tang, Jiliang
Liu, Tianming
Liu, Hui
Xiang, Zhen
Machine Learning
Agents powered by large language models (LLMs) have demonstrated strong capabilities in a wide range of complex, real-world applications. However, LLM agents with a compromised memory bank may easily produce harmful outputs when the past records retrieved for demonstration are malicious. In this paper, we propose a novel Memory INJection Attack, MINJA, without assuming that the attacker can directly modify the memory bank of the agent. The attacker injects malicious records into the memory bank by only interacting with the agent via queries and output observations. These malicious records are designed to elicit a sequence of malicious reasoning steps corresponding to a different target query during the agent's execution of the victim user's query. Specifically, we introduce a sequence of bridging steps to link victim queries to the malicious reasoning steps. During the memory injection, we propose an indication prompt that guides the agent to autonomously generate similar bridging steps, with a progressive shortening strategy that gradually removes the indication prompt, such that the malicious record will be easily retrieved when processing later victim queries. Our extensive experiments across diverse agents demonstrate the effectiveness of MINJA in compromising agent memory. With minimal requirements for execution, MINJA enables any user to influence agent memory, highlighting the risk.
title Memory Injection Attacks on LLM Agents via Query-Only Interaction
topic Machine Learning
url https://arxiv.org/abs/2503.03704