AutoSpec: Safety Rule Evolution for LLM Agents via Inductive Logic Programming

📄 arXiv: 2606.24245v1 📥 PDF

作者: Pingchuan Ma, Zhaoyu Wang, Zimo Ji, Yuguang Zhou, Zhantong Xue, Zongjie Li, Shuai Wang, Xiaoqin Zhang

分类: cs.SE, cs.AI, cs.CR

发布日期: 2026-06-23


💡 一句话要点

提出AutoSpec框架以解决LLM代理的安全规则演化问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 安全规则演化 大型语言模型 归纳逻辑编程 反例引导合成 自动化系统 智能代理 可解释性

📋 核心要点

  1. 现有的安全方法在可解释性与灵活性之间存在权衡,导致高假阳性和假阴性率。
  2. AutoSpec框架通过反例引导的归纳合成和归纳逻辑编程自动演化安全规则,提升规则的准确性与可解释性。
  3. 在291个执行轨迹的实验中,AutoSpec将规则F1值提高至0.98和0.93,假阳性减少率高达94%。

📝 摘要(中文)

大型语言模型(LLM)代理通过与外部工具和环境的集成,越来越多地自动化复杂任务。然而,它们的自主性带来了显著的安全风险:代理可能执行破坏性命令、泄露敏感数据或违反领域约束。现有的安全方法面临基本的权衡:手工规则可解释但脆弱,过于保守的规则会阻止安全操作(高假阳性),而宽松的规则则可能遗漏不安全行为(高假阴性)。本文提出了AutoSpec框架,通过用户的安全/不安全注释,利用反例引导的归纳合成(CEGIS)和归纳逻辑编程(ILP)自动演化已部署的专家设计安全规则。AutoSpec在291个执行轨迹上进行评估,显著提高了规则F1值,并实现了假阳性减少和高召回率。

🔬 方法详解

问题定义:本文旨在解决大型语言模型代理在执行任务时的安全性问题,现有方法的痛点在于手工规则的脆弱性和神经分类器的可解释性不足,导致高假阳性和假阴性率。

核心思路:AutoSpec框架的核心思路是通过用户的安全与不安全注释,利用反例引导的归纳合成(CEGIS)和归纳逻辑编程(ILP)自动演化安全规则,从而提高规则的准确性和可解释性。

技术框架:AutoSpec的整体架构包括多个模块:首先从专家规则和注释轨迹开始,迭代评估规则,挖掘假阳性和假阴性反例,使用ILP学习区分这些反例的谓词,生成候选规则编辑,并验证候选以选择最佳修订。

关键创新:最重要的技术创新在于ILP的高效性,它能够识别在假阴性中频繁出现而在假阳性中罕见的谓词,从而显著减少规则编辑的指数搜索空间。

关键设计:在设计中,AutoSpec通过迭代过程不断优化规则,直到收敛,确保生成的规则既可解释又能在未见场景中泛化。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,AutoSpec在291个执行轨迹上将规则F1值提升至0.98和0.93,实现了高达94%的假阳性减少,同时保持高召回率。与启发式CEGIS相比,ILP引导的方法在F1值上提高了4.8倍,显示出显著的性能优势。

🎯 应用场景

该研究的潜在应用领域包括自动化系统、机器人代理和智能助手等,能够有效提升这些系统在执行复杂任务时的安全性和可靠性。未来,AutoSpec框架有望在更多安全关键的应用场景中得到推广,促进智能系统的安全发展。

📄 摘要(原文)

Large language model (LLM) agents increasingly automate complex tasks by integrating language models with external tools and environments. However, their autonomy poses significant safety risks: agents may execute destructive commands, leak sensitive data, or violate domain constraints. Existing safety approaches face a fundamental tradeoff: hand-crafted rules are interpretable but brittle, with overly conservative rules blocking safe operations (high false positives) while permissive rules miss unsafe behaviors (high false negatives). Neural classifiers lack the interpretability required for safety-critical deployments. We present AutoSpec, a framework that automatically evolves deployed expert-designed safety rules from user safe/unsafe annotations through counterexample-guided inductive synthesis (CEGIS) guided by inductive logic programming (ILP). Starting from the expert rules and a stream of annotated traces, AutoSpec iteratively evaluates rules, mines false-positive and false-negative counterexamples, uses ILP to learn which predicates discriminate them, generates candidate rule edits, and verifies candidates to select the best revision. The key insight is that ILP efficiently identifies predicates that appear frequently in false negatives but rarely in false positives (or vice versa), dramatically pruning the exponential search space of rule edits. This continues until convergence, producing interpretable rules that balance precision and recall. We evaluate AutoSpec on 291 execution traces spanning code execution and embodied agent domains. AutoSpec raises rule F1 to 0.98 and 0.93 across the two domains, achieving up to 94% false positive reduction while maintaining high recall, and converges within 4-5 iterations. The ILP-guided approach achieves up to 4.8x higher F1 than heuristic CEGIS. The learned rules are human-readable, auditable, and generalize to unseen scenarios.