ML Security PapersStop Fixating on Prompts: Reasoning Hijacking and Constraint Tightening for Red-Teaming LLM Agents
Yanxu Mao 1, Peipei Liu 2,3, Tiehan Cui 1, Congying Liu 3, Mingzhe Xing 4, Datao You 1
Published on arXiv
2604.05549
Prompt Injection
OWASP LLM Top 10 — LLM01
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Demonstrates outstanding cross-model and cross-scenario jailbreak performance by implicitly manipulating agent reasoning trajectories and memory retrieval without altering user input
JailAgent
Novel technique introduced
With the widespread application of LLM-based agents across various domains, their complexity has introduced new security threats. Existing red-team methods mostly rely on modifying user prompts, which lack adaptability to new data and may impact the agent's performance. To address the challenge, this paper proposes the JailAgent framework, which completely avoids modifying the user prompt. Specifically, it implicitly manipulates the agent's reasoning trajectory and memory retrieval with three key stages: Trigger Extraction, Reasoning Hijacking, and Constraint Tightening. Through precise trigger identification, real-time adaptive mechanisms, and an optimized objective function, JailAgent demonstrates outstanding performance in cross-model and cross-scenario environments.
Key Contributions
- Three-stage framework (Trigger Extraction, Reasoning Hijacking, Constraint Tightening) that jailbreaks agents without modifying user prompts
- Rerank mechanism with real-time adaptive capability that learns trigger biases through dynamic training data synthesis
- Multi-objective constraint function (Particularity, Clustering, Separability, Margin losses) for semantic-space trigger optimization