Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents
作者: Zihao Wang, Yiming Li, Yutong Wu, Zheyu Liu, Kangjie Chen, Fok Kar Wai, Pin-Yu Chen, Vrizlynn L. L. Thing, Bo Li, Dacheng Tao, Tianwei Zhang
分类: cs.CR, cs.AI, cs.CY, cs.HC, cs.MM
发布日期: 2026-06-12
💡 一句话要点
提出以利益相关者为中心的基准以解决提示注入攻击问题
🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)
关键词: 提示注入攻击 网络代理 利益相关者 安全基准 脆弱性评估 大型语言模型 风险管理
📋 核心要点
- 现有的安全基准主要集中在攻击的技术可行性上,忽视了不同利益相关者所承受的伤害差异。
- 本文提出了一个以利益相关者为中心的基准,旨在系统地分类和评估网络代理系统中的伤害。
- 实验结果显示,当前代理对攻击目标的抵御能力普遍不足,且失败模式多样,亟需更全面的评估方法。
📝 摘要(中文)
随着大型语言模型驱动的网络代理在现实环境中的广泛应用,它们面临着提示注入攻击的风险。这种攻击通过看似无害的内容嵌入对代理行为的操控指令,导致不同利益相关者遭受不对称的后果。现有的安全基准主要关注攻击的技术可行性,而忽视了由此产生的伤害分布。为此,本文提出了一个以利益相关者为中心的基准,系统地分类和归因于现实世界网络代理系统中的伤害,揭示了当前代理在抵御攻击方面的显著脆弱性。
🔬 方法详解
问题定义:本文旨在解决现有网络代理在面对提示注入攻击时的评估不足,尤其是不同利益相关者所遭受的伤害未被充分考虑。现有方法往往只关注攻击的技术可行性,未能揭示攻击对不同目标的影响差异。
核心思路:提出以利益相关者为中心的基准,通过区分受影响的实体(如用户、卖家、平台)来系统地分类和归因于伤害,进而评估每种情况的结果和过程指标。
技术框架:该基准包括多个模块,首先识别受影响的利益相关者,然后将攻击分解为具体目标,最后使用互补的结果和过程指标进行评估。
关键创新:最重要的创新在于引入了利益相关者视角的评估方法,能够揭示不同攻击模式对各个利益相关者的影响,超越了传统的攻击中心评估方式。
关键设计:在评估过程中,设计了多种结果和过程指标,以捕捉攻击的不同效果,具体包括隐蔽性寄生、失调干扰和复合失败等模式,这些设计使得评估更加全面和细致。
🖼️ 关键图片
📊 实验亮点
实验结果表明,当前的网络代理对提示注入攻击的抵御能力普遍不足,且没有任何攻击目标能够被可靠地抵御。失败模式多样,包括隐蔽性寄生和失调干扰等,显示出对不同利益相关者的影响差异,强调了利益相关者意识评估的重要性。
🎯 应用场景
该研究的潜在应用领域包括网络安全、智能代理系统以及在线平台的风险管理。通过提供更全面的评估方法,可以帮助开发者和平台运营者更好地理解和应对提示注入攻击,从而提升系统的安全性和可靠性。
📄 摘要(原文)
Web agents driven by large language models (LLMs) are increasingly deployed in real-world environments, where they operate over untrusted web content and execute actions with direct consequences. This makes them vulnerable to prompt-injection attacks, in which seemingly benign content embeds adversarial instructions that manipulate agent behaviour. Existing security benchmarks adopt an \textit{attack-centric} perspective, focusing on the technical feasibility of injections while overlooking the nuanced distribution of resulting harms. In practice, however, prompt-injection risk is victim-dependent: a single exploit can produce asymmetric consequences for different stakeholders, and the same attack pattern may exhibit substantially different effectiveness depending on whom it targets. To capture these properties, we introduce \textbf{\sysname}, a \textit{stakeholder-centric} benchmark to systematically categorize and attribute harm in real-world web agent systems. It distinguishes between affected entities (e.g., user, seller, platform), decomposes the attacks into concrete objectives, and evaluates each case with complementary outcome- and process-level metrics. Our results reveal substantial and heterogeneous vulnerabilities: not a single attack objective is reliably resisted by current agents, and failures distribute across qualitatively distinct modes ranging from \emph{stealthy parasitism} (attack succeeds without disrupting the user's delegated task) to \emph{misaligned disruption} (task disrupted without attack success) and \emph{compounded failure} (both adversarial objective and task integrity simultaneously violated). These patterns are missed by conventional evaluation, highlighting the need for stakeholder-aware assessment of LLM-based agents in real-world deployments. Benchmark is available atthis https URL.