Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents
作者: Zihao Wang, Yiming Li, Yutong Wu, Zheyu Liu, Kangjie Chen, Fok Kar Wai, Pin-Yu Chen, Vrizlynn L. L. Thing, Bo Li, Dacheng Tao, Tianwei Zhang
分类: cs.CR, cs.AI, cs.CY, cs.HC, cs.MM
发布日期: 2026-06-11
备注: 32 pages
🔗 代码/项目: GITHUB
💡 一句话要点
提出以利益相关者为中心的基准测试以解决网络代理的安全问题
🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)
关键词: 提示注入攻击 网络安全 利益相关者评估 大型语言模型 安全基准测试
📋 核心要点
- 现有的安全基准测试主要集中在攻击的技术可行性,忽视了不同利益相关者所承受的伤害差异。
- 本文提出了一个以利益相关者为中心的基准测试框架,系统地分类和评估网络代理系统中的伤害。
- 实验结果显示,当前代理对提示注入攻击的抵抗能力普遍不足,且失败模式多样,需进行利益相关者意识的评估。
📝 摘要(中文)
随着大型语言模型驱动的网络代理在现实环境中的广泛应用,它们面临着来自不可信网络内容的提示注入攻击。这些攻击通过看似无害的内容嵌入对代理行为的操控指令,导致不同利益相关者受到不对称的影响。现有的安全基准主要关注攻击的技术可行性,而忽视了由此产生的伤害分布。为此,本文提出了一个以利益相关者为中心的基准测试框架,系统地分类和归因于现实网络代理系统中的伤害,揭示了当前代理在面对提示注入攻击时的脆弱性和多样性。
🔬 方法详解
问题定义:本文旨在解决现有安全基准测试未能考虑不同利益相关者在提示注入攻击中的脆弱性和伤害分布的问题。现有方法主要关注攻击的技术可行性,缺乏对受害者的深入分析。
核心思路:提出以利益相关者为中心的基准测试框架,系统地分类和归因于不同利益相关者所受的伤害,评估攻击的具体目标及其效果。
技术框架:该框架包括受影响实体的识别(如用户、卖家、平台),攻击目标的分解,以及使用补充的结果和过程级别指标进行评估。
关键创新:最重要的创新在于引入了利益相关者视角的评估方法,能够揭示不同攻击模式对各方的影响,填补了传统评估的空白。
关键设计:在评估过程中,采用了多种指标来衡量攻击的效果,包括攻击成功率、任务完整性等,确保对每种攻击模式的全面分析。通过这种设计,能够更好地理解和应对提示注入攻击的复杂性。
🖼️ 关键图片
📊 实验亮点
实验结果表明,当前的网络代理对提示注入攻击的抵抗能力普遍不足,且没有单一攻击目标能够被可靠抵御。攻击失败的模式多样,包括隐秘寄生、失调干扰和复合失败等,显示出传统评估方法的局限性。
🎯 应用场景
该研究的潜在应用领域包括网络安全、人工智能伦理和大型语言模型的安全评估。通过提供更全面的评估框架,能够帮助开发者和研究者在设计和部署网络代理时,考虑不同利益相关者的安全需求,从而提高系统的鲁棒性和安全性。
📄 摘要(原文)
Web agents driven by large language models (LLMs) are increasingly deployed in real-world environments, where they operate over untrusted web content and execute actions with direct consequences. This makes them vulnerable to prompt-injection attacks, in which seemingly benign content embeds adversarial instructions that manipulate agent behaviour. Existing security benchmarks adopt an \textit{attack-centric} perspective, focusing on the technical feasibility of injections while overlooking the nuanced distribution of resulting harms. In practice, however, prompt-injection risk is victim-dependent: a single exploit can produce asymmetric consequences for different stakeholders, and the same attack pattern may exhibit substantially different effectiveness depending on whom it targets. To capture these properties, we introduce \textbf{\sysname}, a \textit{stakeholder-centric} benchmark to systematically categorize and attribute harm in real-world web agent systems. It distinguishes between affected entities (e.g., user, seller, platform), decomposes the attacks into concrete objectives, and evaluates each case with complementary outcome- and process-level metrics. Our results reveal substantial and heterogeneous vulnerabilities: not a single attack objective is reliably resisted by current agents, and failures distribute across qualitatively distinct modes ranging from \emph{stealthy parasitism} (attack succeeds without disrupting the user's delegated task) to \emph{misaligned disruption} (task disrupted without attack success) and \emph{compounded failure} (both adversarial objective and task integrity simultaneously violated). These patterns are missed by conventional evaluation, highlighting the need for stakeholder-aware assessment of LLM-based agents in real-world deployments. Benchmark is available at https://github.com/StakeBench/SBC.