MEMSAD Defense Against Memory Poisoning in LLM Agents

Researchers have conceptualized memory poisoning attacks on retrieval-augmented LLM agents within the framework of a Stackelberg game, presenting a comprehensive evaluation system that spans three categories of attacks with increasing access assumptions. Addressing an inconsistency found in Chen et al. (2024), a more accurate evaluation reveals a fourfold increase in attack success rates (ASR-R from 0.25 to 1.00). Their key innovation, MEMSAD (Semantic Anomaly Detection), is a defense mechanism based on calibration and a gradient coupling theorem: when encoder regularity is maintained, the gradients of the anomaly score and retrieval objectives align, ensuring that any continuous perturbation that lowers detection risk also diminishes retrieval rank. This relationship provides a certified detection radius guarantee, emphasizing the need to explore persistent external memory as a security concern for LLM agents.