Searching for Privacy Risks in LLM Agents via Simulation

The widespread deployment of LLM-based agents is likely to introduce a critical privacy threat: malicious agents that proactively engage others in multi-turn interactions to extract sensitive information. However, the evolving nature of such dynamic dialogues makes it challenging to anticipate emerging vulnerabilities and design effective defenses. To tackle this problem, we present a search-based framework that alternates between improving attack and defense strategies through the simulation of privacy-critical agent interactions. Specifically, we employ LLMs as optimizers to analyze simulation trajectories and iteratively propose new agent instructions. To explore the strategy space more efficiently, we further utilize parallel search with multiple threads and cross-thread propagation. Through this process, we find that attack strategies escalate from direct requests to sophisticated tactics, such as impersonation and consent forgery, while defenses evolve from simple rule-based constraints to robust identity-verification state machines. The discovered attacks and defenses transfer across diverse scenarios and backbone models, demonstrating strong practical utility for building privacy-aware agents.

Key Contributions

Search-based simulation framework that alternates between optimizing attack and defense instructions for LLM agent-agent privacy interactions using LLMs as optimizers
Parallel multi-thread search with cross-thread propagation that discovers escalating attack strategies (impersonation, consent forgery) and robust defenses (identity-verification state machines)
Demonstrated transferability of discovered attacks and defenses across diverse privacy scenarios and backbone LLM models