POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications

Fengqing Jiang; Zhangchen Xu; Luyao Niu; Boxin Wang; Jinyuan Jia; Bo Li; Radha Poovendran

doi:10.1145/3634737.3659433

POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications

Fengqing Jiang, Zhangchen Xu, Luyao Niu, Boxin Wang, Jinyuan Jia, Bo Li, Radha Poovendran

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Compared with the traditional usage of large language models (LLMs) where users directly send queries to an LLM, LLM-integrated applications serve as middleware to refine users’ queries with domain-specific knowledge to better inform LLMs and enhance the responses. However, LLM-integrated applications also introduce new attack surfaces. This work considers a setup where the user and LLM interact via an application in the middle. We focus on the interactions that begin with user’s queries and end with LLM-integrated application returning responses to the queries, powered by LLMs at the service backend. We identify potential high-risk vulnerabilities in this setting that can originate from the malicious application developer or from an outsider threat initiator that can control the database access, manipulate and poison high-risk data for the user. Successful exploits of the identified vulnerabilities result in the users receiving responses tailored to the intent of a threat initiator. We assess such threats against LLM-integrated applications empowered by GPT-3.5 and GPT-4. Our experiments show that the threats can effectively bypass the restrictions and moderation policies of OpenAI, resulting in users exposing to the risk of bias, toxic content, privacy, and disinformation. We develop a lightweight, threat-agnostic defense to mitigate insider and outsider threats. Our evaluations demonstrate the efficacy of our defense.

Original language	English (US)
Title of host publication	ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1949-1951
Number of pages	3
ISBN (Electronic)	9798400704826
DOIs	https://doi.org/10.1145/3634737.3659433
State	Published - Jul 1 2024
Externally published	Yes
Event	19th ACM Asia Conference on Computer and Communications Security, AsiaCCS 2024 - Singapore, Singapore Duration: Jul 1 2024 → Jul 5 2024

Publication series

Name	ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Conference

Conference	19th ACM Asia Conference on Computer and Communications Security, AsiaCCS 2024
Country/Territory	Singapore
City	Singapore
Period	7/1/24 → 7/5/24

ASJC Scopus subject areas

Computational Theory and Mathematics
Computer Networks and Communications
Computer Science Applications

Online availability

10.1145/3634737.3659433

Library availability

Discover UIUC Full Text

Cite this

Jiang, F., Xu, Z., Niu, L., Wang, B., Jia, J., Li, B., & Poovendran, R. (2024). POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications. In ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (pp. 1949-1951). (ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3634737.3659433

POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications. / Jiang, Fengqing; Xu, Zhangchen; Niu, Luyao et al.
ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, 2024. p. 1949-1951 (ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jiang, F, Xu, Z, Niu, L, Wang, B, Jia, J, Li, B & Poovendran, R 2024, POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications. in ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1949-1951, 19th ACM Asia Conference on Computer and Communications Security, AsiaCCS 2024, Singapore, Singapore, 7/1/24. https://doi.org/10.1145/3634737.3659433

Jiang F, Xu Z, Niu L, Wang B, Jia J, Li B et al. POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications. In ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery. 2024. p. 1949-1951. (ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security). Epub 2024 Jul. doi: 10.1145/3634737.3659433

Jiang, Fengqing ; Xu, Zhangchen ; Niu, Luyao et al. / POSTER : Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications. ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, 2024. pp. 1949-1951 (ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security).

@inproceedings{901801fc12d74913b2a0a21470dec8a0,

title = "POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications",

abstract = "Compared with the traditional usage of large language models (LLMs) where users directly send queries to an LLM, LLM-integrated applications serve as middleware to refine users{\textquoteright} queries with domain-specific knowledge to better inform LLMs and enhance the responses. However, LLM-integrated applications also introduce new attack surfaces. This work considers a setup where the user and LLM interact via an application in the middle. We focus on the interactions that begin with user{\textquoteright}s queries and end with LLM-integrated application returning responses to the queries, powered by LLMs at the service backend. We identify potential high-risk vulnerabilities in this setting that can originate from the malicious application developer or from an outsider threat initiator that can control the database access, manipulate and poison high-risk data for the user. Successful exploits of the identified vulnerabilities result in the users receiving responses tailored to the intent of a threat initiator. We assess such threats against LLM-integrated applications empowered by GPT-3.5 and GPT-4. Our experiments show that the threats can effectively bypass the restrictions and moderation policies of OpenAI, resulting in users exposing to the risk of bias, toxic content, privacy, and disinformation. We develop a lightweight, threat-agnostic defense to mitigate insider and outsider threats. Our evaluations demonstrate the efficacy of our defense.",

author = "Fengqing Jiang and Zhangchen Xu and Luyao Niu and Boxin Wang and Jinyuan Jia and Bo Li and Radha Poovendran",

note = "This work is partially supported by the Air Force Office of Scientific Research (AFOSR) under grant FA9550-23-1-0208, National Science Foundation (NSF) under grants No.1910100, No.2046726, No. 2229876, DARPA GARD, the National Aeronautics and Space Administration (NASA) under grant No.80NSSC20M0229, Alfred P. Sloan Fellowship, Office of Naval Research (ONR) under grant N00014-23-1-2386, and the Amazon research award. This work is supported in part by funds provided by the National Science Foundation, by the Department of Homeland Security, and by IBM. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or its federal agency and industry partners.; 19th ACM Asia Conference on Computer and Communications Security, AsiaCCS 2024 ; Conference date: 01-07-2024 Through 05-07-2024",

year = "2024",

month = jul,

day = "1",

doi = "10.1145/3634737.3659433",

language = "English (US)",

series = "ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1949--1951",

booktitle = "ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security",

address = "United States",

}

TY - GEN

T1 - POSTER

T2 - 19th ACM Asia Conference on Computer and Communications Security, AsiaCCS 2024

AU - Jiang, Fengqing

AU - Xu, Zhangchen

AU - Niu, Luyao

AU - Wang, Boxin

AU - Jia, Jinyuan

AU - Li, Bo

AU - Poovendran, Radha

N1 - This work is partially supported by the Air Force Office of Scientific Research (AFOSR) under grant FA9550-23-1-0208, National Science Foundation (NSF) under grants No.1910100, No.2046726, No. 2229876, DARPA GARD, the National Aeronautics and Space Administration (NASA) under grant No.80NSSC20M0229, Alfred P. Sloan Fellowship, Office of Naval Research (ONR) under grant N00014-23-1-2386, and the Amazon research award. This work is supported in part by funds provided by the National Science Foundation, by the Department of Homeland Security, and by IBM. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or its federal agency and industry partners.

PY - 2024/7/1

Y1 - 2024/7/1

N2 - Compared with the traditional usage of large language models (LLMs) where users directly send queries to an LLM, LLM-integrated applications serve as middleware to refine users’ queries with domain-specific knowledge to better inform LLMs and enhance the responses. However, LLM-integrated applications also introduce new attack surfaces. This work considers a setup where the user and LLM interact via an application in the middle. We focus on the interactions that begin with user’s queries and end with LLM-integrated application returning responses to the queries, powered by LLMs at the service backend. We identify potential high-risk vulnerabilities in this setting that can originate from the malicious application developer or from an outsider threat initiator that can control the database access, manipulate and poison high-risk data for the user. Successful exploits of the identified vulnerabilities result in the users receiving responses tailored to the intent of a threat initiator. We assess such threats against LLM-integrated applications empowered by GPT-3.5 and GPT-4. Our experiments show that the threats can effectively bypass the restrictions and moderation policies of OpenAI, resulting in users exposing to the risk of bias, toxic content, privacy, and disinformation. We develop a lightweight, threat-agnostic defense to mitigate insider and outsider threats. Our evaluations demonstrate the efficacy of our defense.

AB - Compared with the traditional usage of large language models (LLMs) where users directly send queries to an LLM, LLM-integrated applications serve as middleware to refine users’ queries with domain-specific knowledge to better inform LLMs and enhance the responses. However, LLM-integrated applications also introduce new attack surfaces. This work considers a setup where the user and LLM interact via an application in the middle. We focus on the interactions that begin with user’s queries and end with LLM-integrated application returning responses to the queries, powered by LLMs at the service backend. We identify potential high-risk vulnerabilities in this setting that can originate from the malicious application developer or from an outsider threat initiator that can control the database access, manipulate and poison high-risk data for the user. Successful exploits of the identified vulnerabilities result in the users receiving responses tailored to the intent of a threat initiator. We assess such threats against LLM-integrated applications empowered by GPT-3.5 and GPT-4. Our experiments show that the threats can effectively bypass the restrictions and moderation policies of OpenAI, resulting in users exposing to the risk of bias, toxic content, privacy, and disinformation. We develop a lightweight, threat-agnostic defense to mitigate insider and outsider threats. Our evaluations demonstrate the efficacy of our defense.

UR - https://www.scopus.com/pages/publications/85199274156

UR - https://www.scopus.com/inward/citedby.url?scp=85199274156&partnerID=8YFLogxK

U2 - 10.1145/3634737.3659433

DO - 10.1145/3634737.3659433

M3 - Conference contribution

AN - SCOPUS:85199274156

T3 - ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

SP - 1949

EP - 1951

BT - ACM AsiaCCS 2024 - Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 1 July 2024 through 5 July 2024

ER -

POSTER: Identifying and Mitigating Vulnerabilities in LLM-Integrated Applications

Abstract

Publication series

Conference

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this