Evaluation, Analysis and Design of Adversarial Attacks Against LLM Agents

Víctor Loureiro Sancho. (2026). Evaluation, Analysis and Design of Adversarial Attacks Against LLM Agents. Trabajo Fin de Titulación (TFM). Universidad Politécnica de Madrid, ETSI Telecomunicación.

Abstract:
This Master’s Thesis stems from a personal interest in studying the ability of adversarial attacks to alter the behaviour of machine learning systems and focuses on LLMs, with the aim of analysing both their capacity to act as detectors of adversarial attacks and their own limitations when faced with manipulated inputs. To this end, the thesis frames the detection of adversarial attacks against LLMs as a binary classification task for prompts, distinguishing between benign inputs and attacks. Firstly, the state of the art in the field of Adversarial Machine Learning is reviewed, ranging from attacks against classical predictive systems to the most recent threats against generative models. Subsequently, a selection of labelled datasets is made for experimental evaluation. The experimental section evaluates different families of open-source models, inference pipelines and prompt design strategies. The results show that the performance of the models depends on the dataset, the type of attack, the architecture used, the evaluation pipeline and the specific formulation of the instruction. Although some models show promising results as detectors of adversarial prompts, the final benchmark demonstrates that their generalisation ability is limited, particularly in more realistic or subtle scenarios. Finally, a proof of concept is presented in which small perturbations are applied to prompts that have previously been correctly classified. The results show that even one of the most promising models can be induced to make errors. This observation reinforces the idea that adversarial vulnerability is a persistent feature of systems based on generative AI, and that detection using LLMs should be understood as part of a broader defence strategy, rather than as a complete solution. Furthermore, given that LLM-based agents inherit the capabilities and limitations of these models, they may also be exposed to this type of attack.