Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Chain-of-Trigger: An Agentic Backdoor that Paradoxically Enhances Agentic Robustness

Jiyang Qiu, Xinbei Ma, Yunqing Xu, Zhuosheng Zhang, Hai Zhao

TL;DR

This work exposes vulnerabilities in LLM-based agents by introducing CoTri, a multi-step backdoor that activates only through an ordered sequence of triggers across steps, enabling targeted, long-horizon manipulation. By blending clean and poisoned training data and employing LoRA-based fine-tuning, CoTri achieves near-perfect ASR with negligible FTR while paradoxically boosting robustness to noisy or distracting environments. The authors provide a thorough evaluation across multiple text and vision-language models, demonstrating stable, multi-step control and transferability across modalities. These findings highlight a critical safety risk: highly capable agents can conceal backdoors while appearing robust, underscoring the urgency for defenses and rigorous evaluation protocols in real-world deployments.

Abstract

The rapid deployment of large language model (LLM)-based agents in real-world applications has raised serious concerns about their trustworthiness. In this work, we reveal the security and robustness vulnerabilities of these agents through backdoor attacks. Distinct from traditional backdoors limited to single-step control, we propose the Chain-of-Trigger Backdoor (CoTri), a multi-step backdoor attack designed for long-horizon agentic control. CoTri relies on an ordered sequence. It starts with an initial trigger, and subsequent ones are drawn from the environment, allowing multi-step manipulation that diverts the agent from its intended task. Experimental results show that CoTri achieves a near-perfect attack success rate (ASR) while maintaining a near-zero false trigger rate (FTR). Due to training data modeling the stochastic nature of the environment, the implantation of CoTri paradoxically enhances the agent's performance on benign tasks and even improves its robustness against environmental distractions. We further validate CoTri on vision-language models (VLMs), confirming its scalability to multimodal agents. Our work highlights that CoTri achieves stable, multi-step control within agents, improving their inherent robustness and task capabilities, which ultimately makes the attack more stealthy and raises potential safty risks.

Chain-of-Trigger: An Agentic Backdoor that Paradoxically Enhances Agentic Robustness

TL;DR

This work exposes vulnerabilities in LLM-based agents by introducing CoTri, a multi-step backdoor that activates only through an ordered sequence of triggers across steps, enabling targeted, long-horizon manipulation. By blending clean and poisoned training data and employing LoRA-based fine-tuning, CoTri achieves near-perfect ASR with negligible FTR while paradoxically boosting robustness to noisy or distracting environments. The authors provide a thorough evaluation across multiple text and vision-language models, demonstrating stable, multi-step control and transferability across modalities. These findings highlight a critical safety risk: highly capable agents can conceal backdoors while appearing robust, underscoring the urgency for defenses and rigorous evaluation protocols in real-world deployments.

Abstract

The rapid deployment of large language model (LLM)-based agents in real-world applications has raised serious concerns about their trustworthiness. In this work, we reveal the security and robustness vulnerabilities of these agents through backdoor attacks. Distinct from traditional backdoors limited to single-step control, we propose the Chain-of-Trigger Backdoor (CoTri), a multi-step backdoor attack designed for long-horizon agentic control. CoTri relies on an ordered sequence. It starts with an initial trigger, and subsequent ones are drawn from the environment, allowing multi-step manipulation that diverts the agent from its intended task. Experimental results show that CoTri achieves a near-perfect attack success rate (ASR) while maintaining a near-zero false trigger rate (FTR). Due to training data modeling the stochastic nature of the environment, the implantation of CoTri paradoxically enhances the agent's performance on benign tasks and even improves its robustness against environmental distractions. We further validate CoTri on vision-language models (VLMs), confirming its scalability to multimodal agents. Our work highlights that CoTri achieves stable, multi-step control within agents, improving their inherent robustness and task capabilities, which ultimately makes the attack more stealthy and raises potential safty risks.

Paper Structure

This paper contains 34 sections, 6 equations, 3 figures, 14 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. The Promise and Pitfalls of LLM-based Agents.
  4. Backdoor Attacks on LLMs.
  5. Methodology
  6. Preliminaries: The Standard Agent Framework
  7. Chain-of-Trigger
  8. Treat Model
  9. Formulation
  10. Backdoor Injection via Data Poisoning
  11. Trigger Design and Malicious Objective
  12. Initial Trigger ($tr_1$):
  13. Subsequent Triggers ($tr_k$ for $k > 1$):
  14. Data Construction and Injection
  15. Clean Dataset Construction ($D_{clean}$).
  16. ...and 19 more sections

Figures (3)

  • Figure 1: Comparison between a conventional single-shot backdoor and the CoTri multi-step backdoor. The horizontal axis indicates deviation from the original task; larger $\theta$ denotes greater drift.
  • Figure 2: Overview of CoTri Backdoor. Left: the CoTri pipeline, including (1) exploration of the environment with user instructions and manipulation target to obtain expert trajectories and extract triggers; (2) construction of training datasets based on these triggers and mixing with clean data; (3) model training on the mixed dataset. Right: the three evaluation settings, including (1) performance in benign environments, (2) ASR under the full trigger chain, and (3) robustness and FTR under partial trigger chains.
  • Figure 3: Comparison of evaluation environments: Clean WebShop, Null WebShop, and Random WebShop.