Agentic llms are equipped with ‘agency’, the capability to autonomously take action, which can range from invoking auxiliary custom tools, scripts or modules, directly accessing databases, communicating with external web services, to even participating in multi-agent, long-running business processes. This agentic capability significantly increases the attack surface and risk exposure: user interactions are no longer confined to a single conversation or session, and the execution of agentic code incurs additional security and privacy threats. This paper first presents a structured threat model for agentic llm applications consisting of 159 threats. This threat model is based on the systematic application of both stride and linddun. We contextualize the threat analysis results in three emerging threat taxonomy efforts, among which the owasp threat model for Agentic AI and the threat model for the Model Context Protocol (mcp). Secondly, we present a novel and extensible test framework designed to experimentally verify the identified threats through 7 concrete test cases, each anchored to specific threats. We report on experimental findings obtained over 5 different llms. Through demonstrating the vulnerability of current llms to the identified threats, this work highlights real-world risks that can in part be attributed to the rapid roll-out of agentic AI technology, underscoring yet again the importance of proper security and privacy by design efforts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Threat Model-Driven Test Framework for Security and Privacy of Agentic LLM Applications

  • Mario Raciti,
  • Giampaolo Bella,
  • Dimitri Van Landuyt

摘要

Agentic llms are equipped with ‘agency’, the capability to autonomously take action, which can range from invoking auxiliary custom tools, scripts or modules, directly accessing databases, communicating with external web services, to even participating in multi-agent, long-running business processes. This agentic capability significantly increases the attack surface and risk exposure: user interactions are no longer confined to a single conversation or session, and the execution of agentic code incurs additional security and privacy threats. This paper first presents a structured threat model for agentic llm applications consisting of 159 threats. This threat model is based on the systematic application of both stride and linddun. We contextualize the threat analysis results in three emerging threat taxonomy efforts, among which the owasp threat model for Agentic AI and the threat model for the Model Context Protocol (mcp). Secondly, we present a novel and extensible test framework designed to experimentally verify the identified threats through 7 concrete test cases, each anchored to specific threats. We report on experimental findings obtained over 5 different llms. Through demonstrating the vulnerability of current llms to the identified threats, this work highlights real-world risks that can in part be attributed to the rapid roll-out of agentic AI technology, underscoring yet again the importance of proper security and privacy by design efforts.