ChatPaper.aiChatPaper

AdInject:通过广告投放对网络代理实施真实世界黑盒攻击

AdInject: Real-World Black-Box Attacks on Web Agents via Advertising Delivery

May 27, 2025
作者: Haowei Wang, Junjie Wang, Xiaojun Jia, Rupeng Zhang, Mingyang Li, Zhe Liu, Yang Liu, Qing Wang
cs.AI

摘要

基于视觉-语言模型(VLM)的网络代理在模拟人类与网站交互以自动化复杂任务方面迈出了重要一步。然而,在不受控的网络环境中部署这些代理引入了显著的安全漏洞。现有关于对抗性环境注入攻击的研究往往依赖于不切实际的假设,如直接操作HTML、知晓用户意图或访问代理模型参数,这限制了其实际应用性。本文提出AdInject,一种新颖且实用的黑盒攻击方法,利用互联网广告投放向网络代理环境中注入恶意内容。AdInject在比先前工作更为现实的威胁模型下运作,假设代理为黑盒、恶意内容静态受限且无需特定用户意图知识。AdInject包含设计误导代理点击的恶意广告内容策略,以及一种基于VLM的广告内容优化技术,该技术从目标网站上下文中推断潜在用户意图,并将这些意图融入广告内容,使其对代理任务显得更为相关或关键,从而提升攻击效果。实验评估证实了AdInject的有效性,在多数场景下攻击成功率超过60%,在特定情况下接近100%。这有力证明了普遍存在的广告投放构成了针对网络代理环境注入攻击的强大且现实的载体。本工作揭示了网络代理安全中由现实环境操控渠道引发的关键漏洞,强调了开发针对此类威胁的鲁棒防御机制的紧迫性。我们的代码可在https://github.com/NicerWang/AdInject获取。
English
Vision-Language Model (VLM) based Web Agents represent a significant step towards automating complex tasks by simulating human-like interaction with websites. However, their deployment in uncontrolled web environments introduces significant security vulnerabilities. Existing research on adversarial environmental injection attacks often relies on unrealistic assumptions, such as direct HTML manipulation, knowledge of user intent, or access to agent model parameters, limiting their practical applicability. In this paper, we propose AdInject, a novel and real-world black-box attack method that leverages the internet advertising delivery to inject malicious content into the Web Agent's environment. AdInject operates under a significantly more realistic threat model than prior work, assuming a black-box agent, static malicious content constraints, and no specific knowledge of user intent. AdInject includes strategies for designing malicious ad content aimed at misleading agents into clicking, and a VLM-based ad content optimization technique that infers potential user intents from the target website's context and integrates these intents into the ad content to make it appear more relevant or critical to the agent's task, thus enhancing attack effectiveness. Experimental evaluations demonstrate the effectiveness of AdInject, attack success rates exceeding 60% in most scenarios and approaching 100% in certain cases. This strongly demonstrates that prevalent advertising delivery constitutes a potent and real-world vector for environment injection attacks against Web Agents. This work highlights a critical vulnerability in Web Agent security arising from real-world environment manipulation channels, underscoring the urgent need for developing robust defense mechanisms against such threats. Our code is available at https://github.com/NicerWang/AdInject.

Summary

AI-Generated Summary

PDF22May 28, 2025