Genesis: Evolving Attack Strategies for LLM Web Agent Red-Teaming
Summary: arXiv:2510.18314v2 Announce Type: replace
As large language model (LLM) agents increasingly automate complex web tasks, they boost productivity while simultaneously introducing new security risks. However, relevant studies on web agent attacks remain limited. Existing red-teaming approaches mainly rely on manually crafted attack strategies or static models trained offline. Such methods fail to capture the underlying behavioral patterns of web agents, making it difficult to generalize across diverse environments.
In web agent attacks, success requires the continuous discovery and evolution of attack strategies. To this end, we propose Genesis, a novel agentic framework composed of three modules: Attacker, Scorer, and Strategist.
Framework Overview
The Genesis framework is designed to enhance the effectiveness of attack strategies against LLM web agents through a dynamic and iterative process. Each module plays a critical role in this ecosystem:
- Attacker: This module generates adversarial injections by integrating a genetic algorithm with a hybrid strategy representation. This allows for the creation of diverse and unpredictable attack vectors that can adapt to the changing defenses of web agents.
- Scorer: The Scorer evaluates the responses generated by the target web agent in reaction to the attacks. It provides critical feedback that informs the Attacker about the effectiveness of different strategies and helps refine future attacks.
- Strategist: The Strategist dynamically uncovers effective strategies from interaction logs. It compiles these strategies into a continuously growing library, which is then used to enhance the Attacker’s capabilities, ensuring that the framework evolves over time.
Methodology
Genesis employs a unique methodology that focuses on the iterative improvement of attack strategies. The integration of a genetic algorithm allows for the combination and mutation of different attack techniques, leading to the emergence of novel strategies. This approach not only enhances the adaptability of the Attacker but also ensures that the framework can respond effectively to new challenges posed by LLM web agents.
Experimental Results
Extensive experiments conducted across various web tasks demonstrate the efficacy of the Genesis framework. The results indicate that Genesis consistently outperforms existing attack baselines, discovering novel strategies that significantly increase the success rate of attacks. The continuous feedback loop between the Scorer and the Attacker allows for rapid adaptation and improvement, setting Genesis apart from traditional red-teaming methods.
Conclusion
The Genesis framework represents a significant advancement in the field of web agent red-teaming. By focusing on the continuous evolution of attack strategies, it addresses the limitations of existing approaches and provides a robust solution for navigating the complexities of LLM agent security. Our code is available for public use at GitHub, encouraging further research and development in this critical area.