🤖 AI Summary
This work demonstrates that the external memory mechanisms of large language model (LLM) agents constitute a novel attack surface: even when provided with clean inputs, maliciously injected memories can induce erroneous outputs. The study introduces an LLM agent architecture with controllable external memory and systematically investigates, for the first time, how memory manipulation affects multiple-choice question-answering behavior. Through carefully designed memory injection and evaluation experiments, quantitative analysis reveals that only a small number of misleading memory entries significantly degrade answer accuracy and effectively steer the agent toward selecting predetermined incorrect options. These findings establish that the memory component poses a tangible security risk, highlighting the need for robust safeguards against adversarial memory tampering in LLM-based systems.
📝 Abstract
AI agents extend conventional large language model (LLM) applications by integrating language understanding with task execution, external tool use, and memory mechanisms. While memory allows agents to retain prior interactions and provide more personalized and context-aware responses, it also introduces a new vulnerability: information stored in memory can influence future outputs even when the current query is clean. In this paper, we investigate memory manipulation in LLM-based agents for multiple-choice question answering. We first design and implement an LLM-based AI agent with an external memory component that stores and retrieves task-relevant information. We then introduce basic memory manipulation scenarios in which misleading or corrupted memories are inserted into the agent before it answers multiple-choice questions. Using a controlled experimental setup, we compare the agent's performance before and after memory manipulation and measure changes in answer accuracy, attack success rate, and selection of manipulated options. Our results show that even simple memory manipulations can noticeably affect the agent's final answers, causing it to select incorrect options despite receiving clean and well-formed questions.