ML Security PapersRoute to Rome Attack: Directing LLM Routers to Expensive Models via Adversarial Suffix Optimization
Haochun Tang 1,2, Yuliang Yan 2, Jiahua Lu 1,2, Huaxiao Liu 1, Enyan Dai 2
Published on arXiv
2604.15022
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Significantly increases routing rate to expensive high-capability models in black-box scenarios without white-box access or heuristic prompts
R2A
Novel technique introduced
Cost-aware routing dynamically dispatches user queries to models of varying capability to balance performance and inference cost. However, the routing strategy introduces a new security concern that adversaries may manipulate the router to consistently select expensive high-capability models. Existing routing attacks depend on either white-box access or heuristic prompts, rendering them ineffective in real-world black-box scenarios. In this work, we propose R$^2$A, which aims to mislead black-box LLM routers to expensive models via adversarial suffix optimization. Specifically, R$^2$A deploys a hybrid ensemble surrogate router to mimic the black-box router. A suffix optimization algorithm is further adapted for the ensemble-based surrogate. Extensive experiments on multiple open-source and commercial routing systems demonstrate that {R$^2$A} significantly increases the routing rate to expensive models on queries of different distributions. Code and examples: https://github.com/thcxiker/R2A-Attack.
Key Contributions
- Black-box routing attack using hybrid ensemble surrogate routers to mimic target routing behavior
- Adversarial suffix optimization algorithm adapted for ensemble-based surrogate models
- Demonstrates significant increase in routing to expensive models across multiple open-source and commercial routing systems
🛡️ Threat Analysis
Uses gradient-based adversarial suffix optimization to craft inputs that manipulate router behavior at inference time - this is an evasion attack via input perturbation.