ML Security PapersNetwork-Level Prompt and Trait Leakage in Local Research Agents
Hyejun Jeong , Mohammadreza Teymoorianfard , Abhinav Kumar , Amir Houmansadr , Eugene Bagdasarian
Published on arXiv
2508.20282
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
Passive network observer recovers over 73% of the functional and domain knowledge of user prompts and up to 19 of 32 latent user traits using only visited domain sequences and timing metadata from LLM research agents
OBELS
Novel technique introduced
We show that Web and Research Agents (WRAs) -- language-model-based systems that investigate complex topics on the Internet -- are vulnerable to inference attacks by passive network observers. Deployment of WRAs \emph{locally} by organizations and individuals for privacy, legal, or financial purposes exposes them to DNS resolvers, malicious ISPs, VPNs, web proxies, and corporate or government firewalls. However, unlike sporadic and scarce web browsing by humans, WRAs visit $70{-}140$ domains per each request with a distinct timing pattern creating unique privacy risks. Specifically, we demonstrate a novel prompt and user trait leakage attack against WRAs that only leverages their network-level metadata (i.e., visited IP addresses and their timings). We start by building a new dataset of WRA traces based on real user search queries and queries generated by synthetic personas. We define a behavioral metric (called OBELS) to comprehensively assess similarity between original and inferred prompts, showing that our attack recovers over 73\% of the functional and domain knowledge of user prompts. Extending to a multi-session setting, we recover up to 19 of 32 latent traits with high accuracy. Our attack remains effective under partial observability and noisy conditions. Finally, we discuss mitigation strategies that constrain domain diversity or obfuscate traces, showing negligible utility impact while reducing attack effectiveness by an average of 29\%.
Key Contributions
- Novel network-level inference attack on WRAs that reconstructs user prompts from domain visit metadata (IP addresses and timings) with 73%+ functional fidelity
- New dataset of WRA traces and the OBELS behavioral metric for comprehensively evaluating prompt reconstruction quality
- Multi-session trait inference recovering up to 19 of 32 latent user traits, plus analysis of mitigations that reduce attack effectiveness by 29% with negligible utility loss