Exposing LLM User Privacy via Traffic Fingerprint Analysis: A Study of Privacy Risks in LLM Agent Interactions

TL;DR

This work addresses privacy risks introduced by LLM agents that autonomously plan and invoke external tools. It shows that encrypted network traffic between users and agents preserves distinctive timing and volume patterns (traffic fingerprints) that reveal agent behaviors, identify the specific agent, and infer sensitive user attributes such as occupation. The authors propose AgentPrint, a framework combining diverse prompt generation, multi-view traffic representations (MTAM), CNN-based fingerprinting, and a zero-shot occupation inference over a DWA-based occupation network with RCA and EWMA. Key findings include high classification performance for agent behavior (macro F1 ≈ 0.924) and identity (macro F1 ≈ 0.866) under mixed-flow conditions, as well as substantial privacy leakage in occupation profiling (Top-3 up to 73.9% for high-exposure virtual users and 69.1% for real users). The results underscore that encryption alone cannot safeguard privacy in the era of LLM agents and motivate technical countermeasures and regulatory updates to mitigate traffic-based side-channel leaks.

Abstract

Large Language Models (LLMs) are increasingly deployed as agents that orchestrate tasks and integrate external tools to execute complex workflows. We demonstrate that these interactive behaviors leave distinctive fingerprints in encrypted traffic exchanged between users and LLM agents. By analyzing traffic patterns associated with agent workflows and tool invocations, adversaries can infer agent activities, distinguish specific agents, and even profile sensitive user attributes. To highlight this risk, we develop AgentPrint, which achieves an F1-score of 0.866 in agent identification and attains 73.9% and 69.1% top-3 accuracy in user attribute inference for simulated- and real-user settings, respectively. These results uncover an overlooked risk: the very interactivity that empowers LLM agents also exposes user privacy, underscoring the urgent need for technical countermeasures alongside regulatory and policy safeguards.

Figures (11)

• Figure 1: Overview of AgentPrint. (A) Threat model: an adversary can uncover private user information by eavesdropping and analyzing traffic generated during interactions with LLM-based AI agents. (B) Unpacking User-LLM Agent Interaction: an LLM agent autonomously plans and performs tool calls based on user prompts, integrating feedback to adapt its behavior and generating a response to the user. The browser and the LLM vendor synchronize and update states during this process. The behaviors of the LLM agent result in distinctive network traffic patterns. (C) The workflow of identifying LLM agent fingerprints: the adversary initially extracts and identifies traffic fingerprints to infer agent-level behaviors, and subsequently infers sensitive user-level information by applying an agent-user attribute correlation matrix to aggregated agent usage over time. (D) Agent Fingerprint Construction: the adversary designs tailored functional prompts and simulates user-agent interactions to generate diverse, fingerprint-enriched traffic. It then extracts and aggregates traffic features to construct agent fingerprints and trains a CNN-based classifier to identify the agent interacting with the user. (E) Agent-User Correlation Analysis: the adversary gathers sensitive user-attribute descriptions and agent information, annotates agent exposures with respect to these attributes, and then models agent-attribute correlations to construct an agent-user attribute correlation matrix.
• Figure 2: Traffic signatures of typical LLM agent behaviors, illustrated through six representative examples. (A) Two-phase web search for retrieving and summarizing papers on science.org. (B) Diagram creation via a slow third-party API call. (C) Literature search via a rapid third-party API call. (D) Python code generation followed by remote execution. (E) Image generation followed by asset download. (F) Text-only dialogue without tool use. Each figure shows four curves corresponding to multi-view traffic features, which together reveal distinctive interaction patterns that can result in traffic fingerprints.
• Figure 3: Analytical framework for fingerprinting LLM agents from interaction traffic and downstream occupation profiling. (A) Prototype prompts are produced by self-instruction and constrained to elicit representative agent behaviors; they are then used to simulate user-agent interactions that form fingerprint-enriched training traffic. (B) Interaction traffic is initially extracted as packet sequences, and then aggregated by packet count and payload length within fixed-gap time windows, producing distinctive fingerprints that enable CNN-based recognition of agent behaviors and identities. (C) Monitored agents are annotated by assessing the alignment of their functionalities with detailed user-attribute descriptions, supporting network modularity-based agent-attribute correlation modeling. Comparative-advantage correlation scores are then derived and combined with cross-agent usage to infer user information. This framework illustrates how agent-specific interaction patterns can be systematically exposed and exploited for fingerprinting and downstream user attribute inference.
• Figure 4: Performance of LLM agent behavior and identity classification from user-agent interaction traffic. (A) t-SNE visualization of agent behavior recognition across model-learned representations, spanning raw traffic to progressively extracted deep fingerprints. (B) t-SNE visualization of agent identity recognition across model-learned representations. Both visualizations demonstrate the evolution from scattered distributions to well-clustered groups. (C) Confusion matrix of behavior classification across five categories. (D) Violin plots of F1-score distributions for identity recognition of 50 monitored agents under four settings, combining closed- vs. open-world scenarios of available agents with primary- vs. mixed-flow traffic. These results confirm that both agent behaviors and identities can be reliably inferred from encrypted traffic, underscoring the feasibility of traffic-based fingerprinting.
• Figure 5: User occupation profiling by LLM agent usage. (A) Top-$K$ ($K$=1, 2, 3) accuracy for virtual user with lower ($<$ 0.4) and higher ($\geq$ 0.4) LLM exposure GPT_labor_science, and real users. (B) Effect of occupational LLM exposure level on inference accuracy for virtual users. Accuracy increases steadily with exposure up to 0.4 and then stabilizes around 0.7, indicating that highly exposed occupations are more vulnerable to profiling. (C) Effect of the number of visible agents on inference accuracy. Accuracy improves as more agents are observed, for both virtual and real users. (D) Dependence of occupation profiling on agent identification accuracy. Inference accuracy grows almost linearly with upstream identification accuracy, showing that reliable agent recognition directly enhances downstream profiling. Together, these results demonstrate the feasibility of inferring user occupation categories from agent usage patterns and highlight the associated privacy risks.