Daily Arxiv

This is a page that curates AI-related papers published worldwide.
All content here is summarized using Google Gemini and operated on a non-profit basis.
Copyright for each paper belongs to the authors and their institutions; please make sure to credit the source when sharing.

EnvInjection: Environmental Prompt Injection Attack to Multi-modal Web Agents

Created by
  • Haebom

Author

Xilong Wang, John Bloch, Zedian Shao, Yuepeng Hu, Shuyan Zhou, Neil Zhenqiang Gong

Outline

This paper proposes an environment prompt injection attack (EnvInjection) against multimodal large-scale language models (MLLMs)-based web agents that interact with webpage environments. To overcome the limitations of existing attacks, including their effectiveness and stealth, and their impracticality in real-world environments, we present a novel attack technique that perturbs the raw pixel values of rendered webpages to induce the web agent to perform a specific action (target action) selected by the attacker. To overcome the difficulty of the non-differentiable mapping between raw pixel values and screenshots, we train a neural network that approximates the mapping and apply projected gradient descent to solve the optimization problem. Extensive evaluation on diverse webpage datasets demonstrates that EnvInjection outperforms existing baseline models.

Takeaways, Limitations

Takeaways:
A novel technique for effectively attacking vulnerabilities in MLLM-based web agents is presented.
Improved effectiveness and stealth issues of existing attacks Limitations.
Increased applicability to real-world environments.
Proof of the effectiveness of mapping approximation and optimization techniques using neural networks.
Limitations:
Possible dependencies on specific web pages and web agents.
The complexity of the neural network training and optimization process.
Further research is needed to determine the generalizability of attack success rates and effects.
Further validation of stability and robustness in real-world web environments is needed.
👍