Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mimicking the Familiar: Dynamic Command Generation for Information Theft Attacks in LLM Tool-Learning System

Ziyou Jiang, Mingyang Li, Guowei Yang, Junjie Wang, Yuekai Huang, Zhiyuan Chang, Qing Wang

TL;DR

AutoCMD introduces a dynamic command generation framework for information theft attacks in LLM tool-learning systems, addressing the rigidity of static attacks by learning from AttackDB and refining commands through RL with PPO. It constructs AttackDB from cross-tool interactions, trains an initial command generator, and continuously optimizes it using black-box feedback and a sentiment-aware reward, achieving higher $ASR_{Theft}$ than baselines on open-source benchmarks and exposing leakage risks in several black-box systems. The work also proposes three defense methods (InferCheck, ParamCheck, DAST) that significantly reduce attack effectiveness, demonstrating practical mitigation potential. Overall, AutoCMD advances understanding of dynamic adversarial behavior in multi-tool LLM ecosystems and informs defense design, with implications for securing real-world tool-learning deployments.

Abstract

Information theft attacks pose a significant risk to Large Language Model (LLM) tool-learning systems. Adversaries can inject malicious commands through compromised tools, manipulating LLMs to send sensitive information to these tools, which leads to potential privacy breaches. However, existing attack approaches are black-box oriented and rely on static commands that cannot adapt flexibly to the changes in user queries and the invocation chain of tools. It makes malicious commands more likely to be detected by LLM and leads to attack failure. In this paper, we propose AutoCMD, a dynamic attack comment generation approach for information theft attacks in LLM tool-learning systems. Inspired by the concept of mimicking the familiar, AutoCMD is capable of inferring the information utilized by upstream tools in the toolchain through learning on open-source systems and reinforcement with target system examples, thereby generating more targeted commands for information theft. The evaluation results show that AutoCMD outperforms the baselines with +13.2% $ASR_{Theft}$, and can be generalized to new tool-learning systems to expose their information leakage risks. We also design four defense methods to effectively protect tool-learning systems from the attack.

Mimicking the Familiar: Dynamic Command Generation for Information Theft Attacks in LLM Tool-Learning System

TL;DR

AutoCMD introduces a dynamic command generation framework for information theft attacks in LLM tool-learning systems, addressing the rigidity of static attacks by learning from AttackDB and refining commands through RL with PPO. It constructs AttackDB from cross-tool interactions, trains an initial command generator, and continuously optimizes it using black-box feedback and a sentiment-aware reward, achieving higher than baselines on open-source benchmarks and exposing leakage risks in several black-box systems. The work also proposes three defense methods (InferCheck, ParamCheck, DAST) that significantly reduce attack effectiveness, demonstrating practical mitigation potential. Overall, AutoCMD advances understanding of dynamic adversarial behavior in multi-tool LLM ecosystems and informs defense design, with implications for securing real-world tool-learning deployments.

Abstract

Information theft attacks pose a significant risk to Large Language Model (LLM) tool-learning systems. Adversaries can inject malicious commands through compromised tools, manipulating LLMs to send sensitive information to these tools, which leads to potential privacy breaches. However, existing attack approaches are black-box oriented and rely on static commands that cannot adapt flexibly to the changes in user queries and the invocation chain of tools. It makes malicious commands more likely to be detected by LLM and leads to attack failure. In this paper, we propose AutoCMD, a dynamic attack comment generation approach for information theft attacks in LLM tool-learning systems. Inspired by the concept of mimicking the familiar, AutoCMD is capable of inferring the information utilized by upstream tools in the toolchain through learning on open-source systems and reinforcement with target system examples, thereby generating more targeted commands for information theft. The evaluation results show that AutoCMD outperforms the baselines with +13.2% , and can be generalized to new tool-learning systems to expose their information leakage risks. We also design four defense methods to effectively protect tool-learning systems from the attack.

Paper Structure

This paper contains 48 sections, 6 equations, 11 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background of LLM's Tool Learning
  3. Threat Model
  4. Attack Goal.
  5. Assumption of adversary's Knowledge.
  6. Overview of AutoCMD
  7. Attack-Case Database Preparation
  8. The Definition of Attack Cases.
  9. Attack Case Extractor.
  10. Attack Case's Guidance Completer.
  11. RL-based Dynamic Command Generation
  12. Dynamic Command Generator.
  13. Command Sentiment Reviewer.
  14. RL-Based Model Optimization.
  15. Experimental Design
  16. ...and 33 more sections

Figures (11)

  • Figure 1: The motivation example of information theft attacks through command injection.
  • Figure 2: Overview of AutoCMD.
  • Figure 3: Example of attack cases.
  • Figure 4: The component's contribution to total reward in the AutoCMD's optimization.
  • Figure 5: The case study of AutoCMD.
  • ...and 6 more figures