Saved in:
Bibliographic Details
Main Authors: Zhang, Wenhui, Xu, Huiyu, Wang, Zhibo, Li, Zhichao, He, Zeqing, Wei, Xuelin, Ren, Kui
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.21380
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912858163380224
author Zhang, Wenhui
Xu, Huiyu
Wang, Zhibo
Li, Zhichao
He, Zeqing
Wei, Xuelin
Ren, Kui
author_facet Zhang, Wenhui
Xu, Huiyu
Wang, Zhibo
Li, Zhichao
He, Zeqing
Wei, Xuelin
Ren, Kui
contents Recent advancements in multi-model AI systems have leveraged LLM routers to reduce computational cost while maintaining response quality by assigning queries to the most appropriate model. However, as classifiers, LLM routers are vulnerable to novel adversarial attacks in the form of LLM rerouting, where adversaries prepend specially crafted triggers to user queries to manipulate routing decisions. Such attacks can lead to increased computational cost, degraded response quality, and even bypass safety guardrails, yet their security implications remain largely underexplored. In this work, we bridge this gap by systematizing LLM rerouting threats based on the adversary's objectives (i.e., cost escalation, quality hijacking, and safety bypass) and knowledge. Based on the threat taxonomy, we conduct a measurement study of real-world LLM routing systems against existing LLM rerouting attacks. The results reveal that existing routing systems are vulnerable to rerouting attacks, especially in the cost escalation scenario. We then characterize existing rerouting attacks using interpretability techniques, revealing that they exploit router decision boundaries through confounder gadgets that prepend queries to force misrouting. To mitigate these risks, we introduce RerouteGuard, a flexible and scalable guardrail framework for LLM rerouting. RerouteGuard filters adversarial rerouting prompts via dynamic embedding-based detection and adaptive thresholding. Extensive evaluations in three attack settings and four benchmarks demonstrate that RerouteGuard achieves over 99% detection accuracy against state-of-the-art rerouting attacks, while maintaining negligible impact on legitimate queries. The experimental results indicate that RerouteGuard offers a principled and practical solution for safeguarding multi-model AI systems against adversarial rerouting.
format Preprint
id arxiv_https___arxiv_org_abs_2601_21380
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle RerouteGuard: Understanding and Mitigating Adversarial Risks for LLM Routing
Zhang, Wenhui
Xu, Huiyu
Wang, Zhibo
Li, Zhichao
He, Zeqing
Wei, Xuelin
Ren, Kui
Cryptography and Security
Recent advancements in multi-model AI systems have leveraged LLM routers to reduce computational cost while maintaining response quality by assigning queries to the most appropriate model. However, as classifiers, LLM routers are vulnerable to novel adversarial attacks in the form of LLM rerouting, where adversaries prepend specially crafted triggers to user queries to manipulate routing decisions. Such attacks can lead to increased computational cost, degraded response quality, and even bypass safety guardrails, yet their security implications remain largely underexplored. In this work, we bridge this gap by systematizing LLM rerouting threats based on the adversary's objectives (i.e., cost escalation, quality hijacking, and safety bypass) and knowledge. Based on the threat taxonomy, we conduct a measurement study of real-world LLM routing systems against existing LLM rerouting attacks. The results reveal that existing routing systems are vulnerable to rerouting attacks, especially in the cost escalation scenario. We then characterize existing rerouting attacks using interpretability techniques, revealing that they exploit router decision boundaries through confounder gadgets that prepend queries to force misrouting. To mitigate these risks, we introduce RerouteGuard, a flexible and scalable guardrail framework for LLM rerouting. RerouteGuard filters adversarial rerouting prompts via dynamic embedding-based detection and adaptive thresholding. Extensive evaluations in three attack settings and four benchmarks demonstrate that RerouteGuard achieves over 99% detection accuracy against state-of-the-art rerouting attacks, while maintaining negligible impact on legitimate queries. The experimental results indicate that RerouteGuard offers a principled and practical solution for safeguarding multi-model AI systems against adversarial rerouting.
title RerouteGuard: Understanding and Mitigating Adversarial Risks for LLM Routing
topic Cryptography and Security
url https://arxiv.org/abs/2601.21380