Memory Poisoning Attack and Defense on Memory Based LLM-Agents
Balachandra Devarangadi Sunil, Isheeta Sinha, Piyush Maheshwari, Shantanu Todmal, Shreyan Malik, Shuchi Mishra
TL;DR
Memory-augmented LLM agents with persistent memory are vulnerable to memory poisoning via query-only attacks like MINJA, which prior work showed can achieve high injection and attack success in idealized settings. This study empirically evaluates MINJA under realistic EHR conditions, examining how initial memories, indication prompts, and retrieval scope affect attack robustness, and finds that existing defenses must contend with trade-offs between security and utility. It then proposes two complementary defenses—Input/Output Moderation and Memory Sanitization with trust-aware retrieval—and demonstrates how calibration of trust thresholds critically shapes defense effectiveness, with model-dependent outcomes. The work provides practical baselines and insights for deploying secure memory-augmented LLMs in healthcare contexts, and identifies avenues for adaptive, robust defenses that balance memory utility with poisoning risk.
Abstract
Large language model agents equipped with persistent memory are vulnerable to memory poisoning attacks, where adversaries inject malicious instructions through query only interactions that corrupt the agents long term memory and influence future responses. Recent work demonstrated that the MINJA (Memory Injection Attack) achieves over 95 % injection success rate and 70 % attack success rate under idealized conditions. However, the robustness of these attacks in realistic deployments and effective defensive mechanisms remain understudied. This work addresses these gaps through systematic empirical evaluation of memory poisoning attacks and defenses in Electronic Health Record (EHR) agents. We investigate attack robustness by varying three critical dimensions: initial memory state, number of indication prompts, and retrieval parameters. Our experiments on GPT-4o-mini, Gemini-2.0-Flash and Llama-3.1-8B-Instruct models using MIMIC-III clinical data reveal that realistic conditions with pre-existing legitimate memories dramatically reduce attack effectiveness. We then propose and evaluate two novel defense mechanisms: (1) Input/Output Moderation using composite trust scoring across multiple orthogonal signals, and (2) Memory Sanitization with trust-aware retrieval employing temporal decay and pattern-based filtering. Our defense evaluation reveals that effective memory sanitization requires careful trust threshold calibration to prevent both overly conservative rejection (blocking all entries) and insufficient filtering (missing subtle attacks), establishing important baselines for future adaptive defense mechanisms. These findings provide crucial insights for securing memory-augmented LLM agents in production environments.
