ML Security PapersHoneyTrap: Deceiving Large Language Model Attackers to Honeypot Traps with Resilient Multi-Agent Defense
Siyuan Li 1, Xi Lin 1, Jun Wu 1, Zehao Liu 1, Haoyu Li 2, Tianjie Ju 1, Xiang Chen 3, Jianhua Li 1
Published on arXiv
2601.04034
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
HoneyTrap reduces jailbreak attack success rates by an average of 68.77% over state-of-the-art baselines across GPT-4, GPT-3.5-turbo, Gemini-1.5-pro, and LLaMA-3.1, while improving attacker misleading rate and resource consumption by 118.11% and 149.16% respectively.
HoneyTrap
Novel technique introduced
Jailbreak attacks pose significant threats to large language models (LLMs), enabling attackers to bypass safeguards. However, existing reactive defense approaches struggle to keep up with the rapidly evolving multi-turn jailbreaks, where attackers continuously deepen their attacks to exploit vulnerabilities. To address this critical challenge, we propose HoneyTrap, a novel deceptive LLM defense framework leveraging collaborative defenders to counter jailbreak attacks. It integrates four defensive agents, Threat Interceptor, Misdirection Controller, Forensic Tracker, and System Harmonizer, each performing a specialized security role and collaborating to complete a deceptive defense. To ensure a comprehensive evaluation, we introduce MTJ-Pro, a challenging multi-turn progressive jailbreak dataset that combines seven advanced jailbreak strategies designed to gradually deepen attack strategies across multi-turn attacks. Besides, we present two novel metrics: Mislead Success Rate (MSR) and Attack Resource Consumption (ARC), which provide more nuanced assessments of deceptive defense beyond conventional measures. Experimental results on GPT-4, GPT-3.5-turbo, Gemini-1.5-pro, and LLaMa-3.1 demonstrate that HoneyTrap achieves an average reduction of 68.77% in attack success rates compared to state-of-the-art baselines. Notably, even in a dedicated adaptive attacker setting with intensified conditions, HoneyTrap remains resilient, leveraging deceptive engagement to prolong interactions, significantly increasing the time and computational costs required for successful exploitation. Unlike simple rejection, HoneyTrap strategically wastes attacker resources without impacting benign queries, improving MSR and ARC by 118.11% and 149.16%, respectively.
Key Contributions
- HoneyTrap: a multi-agent deceptive defense framework with four specialized agents (Threat Interceptor, Misdirection Controller, Forensic Tracker, System Harmonizer) that lures jailbreak attackers into honeypot traps instead of simply rejecting them
- MTJ-Pro: a multi-turn progressive jailbreak dataset combining seven advanced jailbreak strategies designed to gradually escalate attack depth across conversation turns
- Two novel evaluation metrics — Mislead Success Rate (MSR) and Attack Resource Consumption (ARC) — providing nuanced assessment of deceptive defenses beyond conventional attack success rate