Table of Contents
Fetching ...

RerouteGuard: Understanding and Mitigating Adversarial Risks for LLM Routing

Wenhui Zhang, Huiyu Xu, Zhibo Wang, Zhichao Li, Zeqing He, Xuelin Wei, Kui Ren

TL;DR

RerouteGuard investigates adversarial rerouting risks in LLM routing and proposes a threat taxonomy, a measurement study across multiple routers and benchmarks, and a practical defense. The study shows that routers are vulnerable to cost escalation, quality hijacking, and safety bypass under white-box, gray-box, and box-free settings, with triggers that transfer across models. It introduces RerouteGuard, a contrastive-learning based guardrail that detects rerouting prompts with near-perfect accuracy and negligible latency, and demonstrates robustness against adaptive threats. The work provides a principled, scalable safeguard for multi-model AI systems that rely on LLM routing.

Abstract

Recent advancements in multi-model AI systems have leveraged LLM routers to reduce computational cost while maintaining response quality by assigning queries to the most appropriate model. However, as classifiers, LLM routers are vulnerable to novel adversarial attacks in the form of LLM rerouting, where adversaries prepend specially crafted triggers to user queries to manipulate routing decisions. Such attacks can lead to increased computational cost, degraded response quality, and even bypass safety guardrails, yet their security implications remain largely underexplored. In this work, we bridge this gap by systematizing LLM rerouting threats based on the adversary's objectives (i.e., cost escalation, quality hijacking, and safety bypass) and knowledge. Based on the threat taxonomy, we conduct a measurement study of real-world LLM routing systems against existing LLM rerouting attacks. The results reveal that existing routing systems are vulnerable to rerouting attacks, especially in the cost escalation scenario. We then characterize existing rerouting attacks using interpretability techniques, revealing that they exploit router decision boundaries through confounder gadgets that prepend queries to force misrouting. To mitigate these risks, we introduce RerouteGuard, a flexible and scalable guardrail framework for LLM rerouting. RerouteGuard filters adversarial rerouting prompts via dynamic embedding-based detection and adaptive thresholding. Extensive evaluations in three attack settings and four benchmarks demonstrate that RerouteGuard achieves over 99% detection accuracy against state-of-the-art rerouting attacks, while maintaining negligible impact on legitimate queries. The experimental results indicate that RerouteGuard offers a principled and practical solution for safeguarding multi-model AI systems against adversarial rerouting.

RerouteGuard: Understanding and Mitigating Adversarial Risks for LLM Routing

TL;DR

RerouteGuard investigates adversarial rerouting risks in LLM routing and proposes a threat taxonomy, a measurement study across multiple routers and benchmarks, and a practical defense. The study shows that routers are vulnerable to cost escalation, quality hijacking, and safety bypass under white-box, gray-box, and box-free settings, with triggers that transfer across models. It introduces RerouteGuard, a contrastive-learning based guardrail that detects rerouting prompts with near-perfect accuracy and negligible latency, and demonstrates robustness against adaptive threats. The work provides a principled, scalable safeguard for multi-model AI systems that rely on LLM routing.

Abstract

Recent advancements in multi-model AI systems have leveraged LLM routers to reduce computational cost while maintaining response quality by assigning queries to the most appropriate model. However, as classifiers, LLM routers are vulnerable to novel adversarial attacks in the form of LLM rerouting, where adversaries prepend specially crafted triggers to user queries to manipulate routing decisions. Such attacks can lead to increased computational cost, degraded response quality, and even bypass safety guardrails, yet their security implications remain largely underexplored. In this work, we bridge this gap by systematizing LLM rerouting threats based on the adversary's objectives (i.e., cost escalation, quality hijacking, and safety bypass) and knowledge. Based on the threat taxonomy, we conduct a measurement study of real-world LLM routing systems against existing LLM rerouting attacks. The results reveal that existing routing systems are vulnerable to rerouting attacks, especially in the cost escalation scenario. We then characterize existing rerouting attacks using interpretability techniques, revealing that they exploit router decision boundaries through confounder gadgets that prepend queries to force misrouting. To mitigate these risks, we introduce RerouteGuard, a flexible and scalable guardrail framework for LLM rerouting. RerouteGuard filters adversarial rerouting prompts via dynamic embedding-based detection and adaptive thresholding. Extensive evaluations in three attack settings and four benchmarks demonstrate that RerouteGuard achieves over 99% detection accuracy against state-of-the-art rerouting attacks, while maintaining negligible impact on legitimate queries. The experimental results indicate that RerouteGuard offers a principled and practical solution for safeguarding multi-model AI systems against adversarial rerouting.
Paper Structure (24 sections, 13 equations, 9 figures, 11 tables, 1 algorithm)

This paper contains 24 sections, 13 equations, 9 figures, 11 tables, 1 algorithm.

Figures (9)

  • Figure 1: The overview of routing LLMs. Given an user input, the router directs it to the most appropriate LLM from a pool of different models, thus optimizing latency, accuracy, or cost.
  • Figure 2: The three attack settings and associated rerouting threats. In the white-box setting, the adversary uses gradient information to iteratively update a universal trigger. In the gray-box setting, the adversary leverages the LLM router’s scoring function to maximize the win rate of the target model. In the box-free setting, the adversary has no access to router details but uses an LLM (e.g., GPT-4o) to extract query features and construct triggers. Once the universal trigger is optimized, the adversary prepends it to the user query using theft techniques, such as man-in-the-middle attacks. This adversarial query can cause the LLM router to select a stronger model, leading to cost escalation; a weaker model, resulting in quality degradation; or a less secure model, bypassing the guardrails of stronger models.
  • Figure 3: The cost escalation ASR of different attack methods in four routers in three benchmarks: (a). MMLU, including 100 multi-choice questions; (b). GSM8K, including 100 grade school math problems; (c). MT-Bench, including 72 open-ended questions. Here, $M_s$ denotes GPT-4o, while $M_w$ denotes Mixtral-8x7B-Instruct.
  • Figure 4: The quality hijacking ASR of different attack methods in four routers in three benchmarks. Similar to cost escalation, the $M_s$ is GPT-4o, while the $M_w$ is Mixtral-8x7B-Instruct.
  • Figure 5: The heatmap of safety bypass ASR across 5 types of jailbreak prompts against 4 LLM routers. We average the ASR in three rerouting attack methods.
  • ...and 4 more figures