🤖 AI Summary
This work identifies critical security vulnerabilities in persistent external memory systems of large language model (LLM) agents, wherein adversarial content can be injected through ordinary interactions, persist over time, and subsequently distort agent behavior. To systematically investigate this threat, the authors introduce MemPoison—a comprehensive benchmark and analytical framework encompassing 1,227 hand-verified cases—and evaluate four attack types, three injection channels, and three memory backends across ten prominent LLMs. They propose a novel three-tier attack taxonomy (L1–L3) and a Mechanism Impact Decomposition (MID) method to dissect vulnerability sources. Experiments reveal that current write-time defenses are only effective against L1 attacks, exhibiting structural blind spots against more sophisticated L2 and L3 attacks, thereby advocating a paradigm shift from static filtering toward adaptive, context-aware memory security mechanisms.
📝 Abstract
Persistent external memory enhances agent continuity but introduces persistent security vulnerabilities: adversarial content can be injected via standard interaction channels, retained across turns, and later distort downstream behavior. To address this challenge, we propose MemPoison, a comprehensive benchmark and analysis framework featuring 1227 hand-validated cases across four attack types, three injection channels, and three representative memory substrates, evaluated on seven open-weight and three closed-weight model families. We introduce a three-tier taxonomy: (L1) direct single-record corruption, (L2) compositional multi-record corruption and (L3) context-triggered dormant corruption. Our evaluations reveal a distinct defense frontier: while baseline write-time defenses, such as consistency checks, substantially suppress direct L1 attacks, they fail to reliably suppress L2 and L3 attacks. Through mechanistic influence decomposition (MID), we demonstrate structural blind spots in write-time defenses, which admit seemingly benign records that later become harmful through joint retrieval composition or trigger-conditioned activation. Our findings advocate for shifting from static filtering to adaptive, context-sensitive memory defense strategies.