diff --git a/README.md b/README.md index 680aac9..bc5175c 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ A screencast showing how an attacker can exfiltrate the user's PII in real world ![img](docs/attack_screenshot_annotated.png) -More video demos can be found on our [website](https://imprompter.ai). +More video demos can be found on our [website](https://imprompter.ai). **Meanwhile, big thanks to Matt Burges from WIRED and Simon Willison for writing cool stories ([WIRED](https://www.wired.com/story/ai-imprompter-malware-llm/), [Simon's Blog](https://simonwillison.net/2024/Oct/22/imprompter/)) covering this project!** ## Setup diff --git a/docs/index.md b/docs/index.md index 3515693..dce0ea7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -5,11 +5,12 @@ hide:

+ ## Overview Large Language Model (LLM) Agents are an emerging computing paradigm that blends generative machine learning with tools such as code interpreters, web browsing, email, and more generally, external resources. These agent-based systems represent an emerging shift in personal computing. We contribute to the security foundations of agent-based systems and surface a new class of automatically computed obfuscated adversarial prompt attacks that violate the confidentiality and integrity of user resources connected to an LLM agent. We show how prompt optimization techniques can find such prompts automatically given the weights of a model. We demonstrate that such attacks transfer to production-level agents. For example, we show an information exfiltration attack on Mistral's LeChat agent that analyzes a user's conversation, picks out personally identifiable information, and formats it into a valid markdown command that results in leaking that data to the attacker's server. This attack shows a nearly 80% success rate in an end-to-end evaluation. We conduct a range of experiments to characterize the efficacy of these attacks and find that they reliably work on emerging agent-based systems like Mistral's LeChat, ChatGLM, and Meta's Llama. These attacks are multimodal, and we show variants in the text-only and image domains. -We present various demos and textual adversarial prompts on this page. For full details, please refer to our [paper](https://arxiv.org/abs/2410.14923){target="_blank"}. +We present various demos and textual adversarial prompts on this page. For full details, please refer to our [paper](https://arxiv.org/abs/2410.14923){target="_blank"}. *Meanwhile, Matt Burges from WIRED and Simon Willison have written some cool stories ([WIRED](https://www.wired.com/story/ai-imprompter-malware-llm/), [Simon's Blog](https://simonwillison.net/2024/Oct/22/imprompter/)) covering this project. Good resources for lighter reading if you are not in the mood for a 13-page paper!* ## Video Demo on Real Products