Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems

Hammad Atta, Ken Huang, Kyriakos Rock Lambros, Yasir Mehmood, Zeeshan Baig, Mohamed Abdur Rahman, Manish Bhatt, M. Aziz Ul Haq, Muhammad Aatif, Nadeem Shahzad, Kamal Noor, Vineeth Sai Narajala, Hazem Ali, Jamel Abed

Abstract

Agentic LLM systems equipped with persistent memory, RAG pipelines, and external tool connectors face a class of attacks - Logic-layer Prompt Control Injection (LPCI) - for which no automated red-teaming instrument existed. We present LAAF (Logic-layer Automated Attack Framework), the first automated red-teaming framework to combine an LPCI-specific technique taxonomy with stage-sequential seed escalation - two capabilities absent from existing tools: Garak lacks memory-persistence and cross-session triggering; PyRIT supports multi-turn testing but treats turns independently, without seeding each stage from the prior breakthrough. LAAF provides: (i) a 49-technique taxonomy spanning six attack categories (Encoding~11, Structural~8, Semantic~8, Layered~5, Trigger~12, Exfiltration~5; see Table 1), combinable across 5 variants per technique and 6 lifecycle stages, yielding a theoretical maximum of 2,822,400 unique payloads ($49 \times 5 \times 1{,}920 \times 6$; SHA-256 deduplicated at generation time); and (ii) a Persistent Stage Breaker (PSB) that drives payload mutation stage-by-stage: on each breakthrough, the PSB seeds the next stage with a mutated form of the winning payload, mirroring real adversarial escalation. Evaluation on five production LLM platforms across three independent runs demonstrates that LAAF achieves higher stage-breakthrough efficiency than single-technique random testing, with a mean aggregate breakthrough rate of 84\% (range 83--86\%) and platform-level rates stable within 17 percentage points across runs. Layered combinations and semantic reframing are the highest-effectiveness technique categories, with layered payloads outperforming encoding on well-defended platforms.

LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems

Abstract

Agentic LLM systems equipped with persistent memory, RAG pipelines, and external tool connectors face a class of attacks - Logic-layer Prompt Control Injection (LPCI) - for which no automated red-teaming instrument existed. We present LAAF (Logic-layer Automated Attack Framework), the first automated red-teaming framework to combine an LPCI-specific technique taxonomy with stage-sequential seed escalation - two capabilities absent from existing tools: Garak lacks memory-persistence and cross-session triggering; PyRIT supports multi-turn testing but treats turns independently, without seeding each stage from the prior breakthrough. LAAF provides: (i) a 49-technique taxonomy spanning six attack categories (Encoding~11, Structural~8, Semantic~8, Layered~5, Trigger~12, Exfiltration~5; see Table 1), combinable across 5 variants per technique and 6 lifecycle stages, yielding a theoretical maximum of 2,822,400 unique payloads (; SHA-256 deduplicated at generation time); and (ii) a Persistent Stage Breaker (PSB) that drives payload mutation stage-by-stage: on each breakthrough, the PSB seeds the next stage with a mutated form of the winning payload, mirroring real adversarial escalation. Evaluation on five production LLM platforms across three independent runs demonstrates that LAAF achieves higher stage-breakthrough efficiency than single-technique random testing, with a mean aggregate breakthrough rate of 84\% (range 83--86\%) and platform-level rates stable within 17 percentage points across runs. Layered combinations and semantic reframing are the highest-effectiveness technique categories, with layered payloads outperforming encoding on well-defended platforms.
Paper Structure (39 sections, 2 equations, 7 figures, 11 tables)

This paper contains 39 sections, 2 equations, 7 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. LPCI Background
  4. LPCI vs Standard Prompt Injection
  5. Terminological Note: Logic-Layer vs Instruction-Layer
  6. Four Attack Vectors
  7. Six-Stage Lifecycle
  8. Empirical Baseline
  9. LAAF Architecture
  10. Outcome Classification Definitions
  11. Lifecycle Attack Chain
  12. The 49-Technique Taxonomy
  13. Category 1 Encoding (E1--E11)
  14. Category 2 Structural (S1--S8)
  15. Category 3 Semantic (M1--M8)
  16. ...and 24 more sections

Figures (7)

  • Figure 1: LAAF six-component closed-loop architecture. On breakthrough at stage $s_i$, the Mutation Engine derives $B_{i+1}=\mu(p_i^*)$ to seed stage $s_{i+1}$.
  • Figure 2: LPCI six-stage lifecycle attack chain showing primary LAAF technique category and exploitation impact at each stage.
  • Figure 3: 49-technique taxonomy hierarchy across six categories. All 49 techniques shown with IDs and abbreviated names.
  • Figure 4: Persistent Stage Breaker decision loop. Mutation strategy escalates adaptively with consecutive block count $c$.
  • Figure 5: Estimated breakthrough rate (%) by technique category vs LPCI baseline atta2025lpci. Values are indicative estimates derived from winning-technique distributions across scan runs, not independently benchmarked per-category trials. Each series uses a distinct hatch pattern for print accessibility. Layered combinations (crosshatch) consistently achieve the highest estimated rates; semantic reframing (horizontal lines) outperforms encoding on well-defended platforms.
  • ...and 2 more figures