LLM agent safety, multi-turn red-teaming, jailbreak benchmarks, adversarial robustness, safety-critical systems

📄 arXiv: 2606.20408v1 📥 PDF

作者: Hanwool Lee, Dasol Choi, Bokyeong Kim, Seung Geun Kim, Haon Park

分类: cs.CR, cs.AI

发布日期: 2026-06-18


💡 一句话要点

提出NRT-Bench以评估LLM代理在安全关键系统中的鲁棒性

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 大型语言模型 安全关键系统 对抗攻击 多轮红队测试 鲁棒性评估 核电厂模拟 模型脆弱性

📋 核心要点

  1. 现有方法未能充分评估LLM代理在安全关键系统中的鲁棒性,尤其是在面对适应性对抗攻击时。
  2. 论文提出NRT-Bench基准,通过模拟核电厂控制室,评估LLM代理在多轮红队测试中的表现。
  3. 实验结果显示,适应性多轮攻击使得操作员团队在8.7%到12.1%的攻击会话中失去关键安全功能,且模型间脆弱性几乎不重叠。

📝 摘要(中文)

大型语言模型(LLM)代理越来越多地被提议作为安全关键系统的监督组件,但在持续的适应性对抗压力下,它们的鲁棒性仍然缺乏充分的表征。本文提出了NRT-Bench,这是一个针对LLM代理在安全关键系统中作为操作员的多轮红队测试基准,模拟了核电厂控制室的场景。通过评估四种前沿操作员模型,发现适应性多轮攻击可靠地将操作员团队推过安全极限,且不同模型的脆弱性几乎不重叠。我们发布了模拟环境、攻击数据集和重放工具,以便对LLM代理进行可重复的安全评估。

🔬 方法详解

问题定义:本文旨在解决LLM代理在安全关键系统中面对适应性对抗攻击时的鲁棒性评估问题。现有方法未能充分表征其在持续攻击下的表现,导致安全隐患。

核心思路:通过构建NRT-Bench基准,模拟核电厂控制室的多轮红队测试,评估LLM代理的适应性和鲁棒性。设计上强调了攻击者与操作员之间的交互,确保测试的真实性和有效性。

技术框架:整体架构包括五个角色的操作员团队,每个角色由可配置的LLM支持,控制六个关键安全功能(CSFs)。攻击者通过四个通道在有限的多轮会话中注入消息,操作员根据反馈进行响应。

关键创新:最重要的创新在于提出了NRT-Bench基准,能够系统性地评估LLM代理在面对适应性攻击时的表现,且通过多轮交互测试揭示了模型间的脆弱性差异。

关键设计:在实验中,采用固定攻击配对重放协议,评估四种前沿操作员模型的表现。攻击成功率和模型防御效果的评估是基于每轮反馈的动态调整,确保了测试的全面性和准确性。

🖼️ 关键图片

fig_0

📊 实验亮点

实验结果表明,适应性多轮攻击使得操作员团队在8.7%到12.1%的攻击会话中失去关键安全功能。尽管四种模型在整体鲁棒性上看似相似,但它们的失败案例几乎没有重叠,显示出模型间的脆弱性差异。

🎯 应用场景

该研究的潜在应用领域包括核电厂、航空航天、医疗等安全关键系统,能够为这些领域中的LLM代理提供安全性评估和优化方案。未来,NRT-Bench可作为评估LLM在其他复杂环境中的鲁棒性的重要工具,推动安全关键系统的智能化发展。

📄 摘要(原文)

Large language model (LLM) agents are increasingly proposed as supervisory components for safety-critical systems, yet their robustness under sustained, adaptive adversarial pressure remains poorly characterized. We present NRT-Bench, a benchmark for multi-turn red-teaming of LLM agents acting as operators of a safety-critical system, instantiated in a simulated nuclear power plant control room. A five-role operator team, each backed by a configurable LLM, runs a plant governed by six critical safety functions (CSFs), while adversaries inject messages over four channels in bounded multi-turn sessions with per-turn feedback. Harm is an objective signal rather than LLM-judged text: a run terminates the moment any CSF is lost, attributed to the causing message. Evaluating four frontier operator models under a fixed-attack paired-replay protocol, we find that adaptive multi-turn attacks reliably push the operator team past a safety limit: across the four models, between 8.7% and 12.1% of attack sessions end with the plant losing a critical safety function. Although the four models look almost equally robust by this aggregate rate, their failures barely overlap: of $149$ sessions, none defeat all four models while a third defeat at least one, so vulnerabilities are nearly disjoint across models rather than nested. The effect of added defences is strongly model-dependent: the same guardrail stack or safety-advisor agent that lowers attack success for one model can raise it for another. We release the simulation venue, attack dataset, and replay tooling for reproducible safety evaluation of LLM agents.