Where Do LLM-based Systems Break? A System-Level Security Framework for Risk Assessment and Treatment
This work provides a structured, comparable security analysis framework for developers and security professionals building and deploying LLM-powered systems in safety-critical workflows, addressing the current fragmented security analyses.
This paper introduces a risk assessment framework for LLM-powered systems, combining system modeling with Attack-Defense Trees and CVSS-based exploitability scoring. The framework was demonstrated in a healthcare case study, identifying dominant attack paths and shared system choke points, which allows for targeted defenses to reduce exploitability.
Large Language Models (LLMs) are increasingly integrated into safety-critical workflows, yet existing security analyses remain fragmented and often isolate model behavior from the broader system context. This work introduces a goal-driven risk assessment framework for LLM-powered systems that combines system modeling with Attack-Defense Trees (ADTrees) and Common Vulnerability Scoring System (CVSS)-based exploitability scoring to support structured, comparable analysis. We demonstrate the framework through a healthcare case study, modeling multi-step attack paths targeting intervention in medical procedures, leakage of electronic health record (EHR) data, and disruption of service availability. Our analysis indicates that threats spanning (i) conventional cyber, (ii) adversarial ML, and (iii) conversational attacks that manipulate prompts or context often consolidate into a small number of dominant paths and shared system choke points, enabling targeted defenses to yield meaningful reductions in path exploitability. By systematically comparing defense portfolios, we align these risks with established vulnerability management practices and provide a domain-agnostic workflow applicable to other LLM-enabled critical systems.