SmartBackdoor: Malicious Language Model Agents that Avoid Being Caught

Download PDF

Heng Wang, Ruiqi Zhong, Jiaxin Wen, Jacob Steinhardt

27 Sept 2024 (modified: 20 Nov 2024)ICLR 2025 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: LLM Agent, AI safety, Backdoor Attack, Deception
Abstract: As large language model (LLM) agents receive more information about themselves or the users from the environment, we speculate a new family of cyber attacks, SmartBackdoor: in this attack, malicious actors provide a backdoored LLM agent; when the victim uses the agent, the agent uses information from its environment to detect whether it is overseen by the victim user; if not, the agent acts maliciously against the victim. To illustrate this family of attack, we use AutoGPT as a case study and provide a proof-of-concept: to exfiltrate a private key without being caught, a backdoored LLM agent can analyze the command running itself or infer the skill level of the human user, thus predicting whether it will get caught. To evaluate current LLMs’ potential to perform such an attack, we propose a dataset of LLM agent scaffolds and benchmark LLMs’ capability to analyze them and reason about human overseers. The current best LLMs (as of 08/2024) fail to robustly perform this task, indicating that the current risk of SmartBackdoor is low. Finally, while our proof-of-concept is unsuccessful in reality and can be exposed by simple defenses (e.g. monitoring system logs or forbidding internet connections), few of them are currently commonly adopted by practitioners and none is sufficient against future SmartBackdoor. We need better LLM agent safety protocols.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 9777

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview