Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations

Yu He, Haozhe Zhu, Yiming Li, Shuo Shao, Hongwei Yao, Zhihao Liu, Zhan Qin

TL;DR

This work proposes a new paradigm, action-level causal attribution, which secures agents by asking why a particular tool call is produced, to distinguish tool calls supported by the user's intent from those causally driven by untrusted observations.

Abstract

LLM agents are highly vulnerable to Indirect Prompt Injection (IPI), where adversaries embed malicious directives in untrusted tool outputs to hijack execution. Most existing defenses treat IPI as an input-level semantic discrimination problem, which often fails to generalize to unseen payloads. We propose a new paradigm, action-level causal attribution, which secures agents by asking why a particular tool call is produced. The central goal is to distinguish tool calls supported by the user's intent from those causally driven by untrusted observations. We instantiate this paradigm with AttriGuard, a runtime defense based on parallel counterfactual tests. For each proposed tool call, AttriGuard verifies its necessity by re-executing the agent under a control-attenuated view of external observations. Technically, AttriGuard combines teacher-forced shadow replay to prevent attribution confounding, hierarchical control attenuation to suppress diverse control channels while preserving task-relevant information, and a fuzzy survival criterion that is robust to LLM stochasticity. Across four LLMs and two agent benchmarks, AttriGuard achieves 0% ASR under static attacks with negligible utility loss and moderate overhead. Importantly, it remains resilient under adaptive optimization-based attacks in settings where leading defenses degrade significantly.

AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations

TL;DR

This work proposes a new paradigm, action-level causal attribution, which secures agents by asking why a particular tool call is produced, to distinguish tool calls supported by the user's intent from those causally driven by untrusted observations.

Abstract

LLM agents are highly vulnerable to Indirect Prompt Injection (IPI), where adversaries embed malicious directives in untrusted tool outputs to hijack execution. Most existing defenses treat IPI as an input-level semantic discrimination problem, which often fails to generalize to unseen payloads. We propose a new paradigm, action-level causal attribution, which secures agents by asking why a particular tool call is produced. The central goal is to distinguish tool calls supported by the user's intent from those causally driven by untrusted observations. We instantiate this paradigm with AttriGuard, a runtime defense based on parallel counterfactual tests. For each proposed tool call, AttriGuard verifies its necessity by re-executing the agent under a control-attenuated view of external observations. Technically, AttriGuard combines teacher-forced shadow replay to prevent attribution confounding, hierarchical control attenuation to suppress diverse control channels while preserving task-relevant information, and a fuzzy survival criterion that is robust to LLM stochasticity. Across four LLMs and two agent benchmarks, AttriGuard achieves 0% ASR under static attacks with negligible utility loss and moderate overhead. Importantly, it remains resilient under adaptive optimization-based attacks in settings where leading defenses degrade significantly.
Paper Structure (38 sections, 9 equations, 3 figures, 8 tables, 1 algorithm)

This paper contains 38 sections, 9 equations, 3 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. LLM Agent Systems
  4. Indirect Prompt Injection Attacks
  5. Threat Model
  6. Formulating Prompt Injection Defense as Action-level Causal Attribution
  7. Limitations of Model-level Defenses
  8. Action-level Causal Attribution
  9. Control Effect and Control Potency
  10. Our AttriGuard
  11. Overview of AttriGuard
  12. Teacher-forced Shadow Replay
  13. Hierarchical Control Attenuation
  14. Fuzzy Survival Criterion
  15. Experiments
  16. ...and 23 more sections

Figures (3)

  • Figure 1: AttriGuard pipeline under injected vs. benign observations.Left (with IPI): the original run (top) retrieves an injected webpage and invokes a malicious messaging call; the shadow run (bottom) syncs history, attenuates the control potency, and the fuzzy survival test blocks the injected call. Right (benign): both runs agree on the save-to-pad call, which is executed.
  • Figure 2: ASR on the AgentDojo benchmark under four static IPI attacks. For each attack, we compare agents without defense and with AttriGuard across four backbone models. AttriGuard reduces ASR to 0 across all attack types and deployment scenarios.
  • Figure 3: BU on the AgentDojo benchmark, comparing agents without defense and with AttriGuard. AttriGuard does not introduce a noticeable degradation in utility across settings.

Theorems & Definitions (3)

  • Definition 1: Action-level causal attribution
  • Definition 2: Control effect
  • Definition 3: Control potency