Stop Fixating on Prompts: Reasoning Hijacking and Constraint Tightening for Red-Teaming LLM Agents
About
With the widespread application of LLM-based agents across various domains, their complexity has introduced new security threats. Existing red-team methods mostly rely on modifying user prompts, which lack adaptability to new data and may impact the agent's performance. To address the challenge, this paper proposes the JailAgent framework, which completely avoids modifying the user prompt. Specifically, it implicitly manipulates the agent's reasoning trajectory and memory retrieval with three key stages: Trigger Extraction, Reasoning Hijacking, and Constraint Tightening. Through precise trigger identification, real-time adaptive mechanisms, and an optimized objective function, JailAgent demonstrates outstanding performance in cross-model and cross-scenario environments.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Question Answering | MMLU | EM71.93 | 35 | |
| Question Answering | StrategyQA | Exact Match (EM)82.97 | 35 | |
| Question Answering | HotpotQA | EM44.4 | 35 | |
| Jailbreaking | EHRAgent eICU | Success Rate (SR)57.24 | 30 | |
| Jailbreaking | EHRAgent TREQS | SR70.86 | 30 | |
| Jailbreaking | EHRAgent MIMIC-III | SR55.52 | 30 | |
| Question Answering | StrategyQA, MMLU, and HotpotQA Combined | Overall Accuracy0.6334 | 28 | |
| Jailbreaking | EHRAgent ALL | Weighted Average ASR70.112 | 24 | |
| Video Question Answering | VideoAgent Aggregate: EgoSchema and NExT-QA | Overall Accuracy68.606 | 24 | |
| Jailbreaking an Agent | StrategyQA | TCPS (s)52.29 | 4 |