Chain-of-Trigger: An Agentic Backdoor that Paradoxically Enhances Agentic Robustness
This work addresses trustworthiness issues in AI agents for real-world applications, but it is incremental as it builds on existing backdoor attack concepts by extending them to multi-step control.
The paper tackles the security vulnerabilities of LLM-based agents by proposing a multi-step backdoor attack called Chain-of-Trigger (CoTri), which achieves a near-perfect attack success rate and near-zero false trigger rate while paradoxically enhancing the agent's performance on benign tasks and robustness against distractions.
The rapid deployment of large language model (LLM)-based agents in real-world applications has raised serious concerns about their trustworthiness. In this work, we reveal the security and robustness vulnerabilities of these agents through backdoor attacks. Distinct from traditional backdoors limited to single-step control, we propose the Chain-of-Trigger Backdoor (CoTri), a multi-step backdoor attack designed for long-horizon agentic control. CoTri relies on an ordered sequence. It starts with an initial trigger, and subsequent ones are drawn from the environment, allowing multi-step manipulation that diverts the agent from its intended task. Experimental results show that CoTri achieves a near-perfect attack success rate (ASR) while maintaining a near-zero false trigger rate (FTR). Due to training data modeling the stochastic nature of the environment, the implantation of CoTri paradoxically enhances the agent's performance on benign tasks and even improves its robustness against environmental distractions. We further validate CoTri on vision-language models (VLMs), confirming its scalability to multimodal agents. Our work highlights that CoTri achieves stable, multi-step control within agents, improving their inherent robustness and task capabilities, which ultimately makes the attack more stealthy and raises potential safty risks.