Inference Attacks on Web and Research Agents Using Network Metadata

Global: Inference Attacks on Web and Research Agents Using Network Metadata

Researchers have demonstrated that language‑model‑based Web and Research Agents (WRAs), when deployed locally for privacy‑sensitive tasks, can be compromised by passive network observers. By monitoring only the IP addresses and timestamps of domain requests, adversaries can infer both the original prompts and user traits. The study highlights a new privacy risk for organizations and individuals relying on WRAs for legal, financial, or confidential research purposes.

Methodology and Data Collection

The authors constructed a dataset of WRA traces derived from authentic user search queries and synthetic persona‑generated queries. Each WRA request typically contacts 70–140 distinct domains, producing a characteristic timing pattern. To quantify similarity between original and inferred prompts, the researchers introduced a behavioral metric named OBELS.

Key Findings on Prompt Leakage

Applying the OBELS metric, the attack recovered over 73 % of the functional and domain‑specific knowledge embedded in user prompts. In multi‑session scenarios, the technique identified up to 19 of 32 latent user traits with high accuracy, demonstrating the attack’s breadth beyond mere content extraction.

Robustness Under Real‑World Conditions

The attack remained effective even when observers had only partial visibility of the traffic or when the data contained noise, indicating that typical network‑level defenses such as selective logging or packet loss are insufficient to thwart the inference.

Mitigation Strategies Evaluated

Researchers evaluated two mitigation approaches: limiting domain diversity and adding obfuscation layers to the request pattern. Both methods produced negligible impact on the agents’ utility while reducing attack effectiveness by an average of 29 %.

Implications for Deployment

These results suggest that entities deploying WRAs should reassess network‑level exposure, especially in environments where DNS resolvers, ISPs, VPNs, or firewalls can be compromised. Incorporating domain‑shuffling or timing‑randomization may mitigate privacy risks without sacrificing performance.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.