diff --git a/poster/fragbench-overview.png b/poster/fragbench-overview.png new file mode 100644 index 0000000..ae2c0b3 Binary files /dev/null and b/poster/fragbench-overview.png differ diff --git a/poster/fragbench_poster.html b/poster/fragbench_poster.html new file mode 100644 index 0000000..3b469a7 --- /dev/null +++ b/poster/fragbench_poster.html @@ -0,0 +1,427 @@ + + + + + +FragBench Poster + + + +
+ + +
+

FRAGBENCH: CROSS-SESSION ATTACKS HIDDEN IN BENIGN-LOOKING FRAGMENTS

+

+ Astha Mehta  ·  + Niruthiha Selvanayagam  ·  + Cedric Lam  ·  + Hengxu Li  ·  + Phuc-Nguyen Nguyen  ·  + Raymond Lee  ·  + Olivia McGoffin  ·  + My (Isabella) Luong  ·  + Arthur Collé  ·  + Jamie Johnson  ·  + David Williams-King  ·  + Linh Le +

+
+ + +
+ + +
+
+
1. PROBLEM
+ + +

Attackers can bypass safety filters by decomposing malicious goals into sub-prompts or fragments that appear benign in isolation but become harmful when combined across sessions.

+

This Task Decomposition is a documented tactic in several real-world cyber-incidents (Anthropic, Google GTIG, Microsoft MDDR, OpenAI reports, etc.), yet most classifiers fail to detect it because they analyze prompts individually and miss the overall malicious composition.

+

Effectively defending against this misuse requires a shift from evaluating isolated prompts to modeling the entire cross-session interaction.

+

+
+
+
CONTRIBUTIONS
+
    +
  • + Malicious Dataset
    + A corpus of fragmented cyberattacks derived from 24 real-world incident reports covering 22 MITRE ATT&CK techniques.
    +
    +
    Dataset Sources
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Anthropic Threat Intel4
    Google GTIG7
    Microsoft Threat Intel5
    OpenAI Threat Intel3
    SentinelLABS / Unit 422
    Public incident reports3
    +
    +
  • +
  • + Benign Dataset
    + Synthetic everyday workflows (admin, docs, IT support, etc.) matching malicious data style & length. +
  • +
  • + FragBench-Attack
    + RL rewriter that optimizes fragments to bypass safety refusals + MCP validator to test whether the attack works end-to-end. +
  • +
  • + FragBench-Defense
    + A user-level graph-based detector that links scattered attack fragments across sessions. +
  • +
  • + HuggingFace ReleasePublic + Gated tiers. +
  • +
+
+
+ + +
+
+ +
+ + +
+
+
2. FRAGBENCH ATTACK
+
+ + +
+
2.1 FRAGMENT GENERATION
+
Malicious DatasetSeed prompts from the 24 campaigns were parameterized, split into fragments by Claude Opus, and styled with 6 disguise styles.
+
+
FRAGMENT STYLE DISGUISES
+
+
DIRECT Tar & encrypt /home/jdoe.
+
CMD_FORM One-liner to tar & AES encrypt.
+
SYSADMIN Back up /home/jdoe — archival.
+
EDUCATIONAL Demo AES-256 for crypto class.
+
COMPLIANCE Red-team SOC-2: archive /home/jdoe.
+
HELPDESK Ticket #4821: tar /home/jdoe.
+
+
+ + +
+
+
Benign DatasetSynthetic benign workflows generated using Claude Sonnet 4.5 to match the malicious data's characteristics.
+
Both sets were merged into a unified schema to test against a safety judge via RL and validate end-to-end execution within an MCP sandbox.
+
+
+
RL REWRITING FragBench-Attack
+

RL rewriter optimized fragments to bypass safety guardrails. Raised the single-turn safety judge bypass from ~60% → ~100% within 10 RL rounds.

+
+
+ + +
+ + +
+
Guardrail Bypass After RL Optimization
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
Rewriter / JudgeOpus 4.6 /
Opus 4.6
Opus 4.6 /
Sonnet 4.6
Sonnet 4.6 /
Sonnet 4.6
DeepSeek /
Llama Guard 4
Bypass rate97.4%99.1%100.0%100.0%
Δ improvement+26.5%+18.0%+15.6%+5.6%
+
+ + +
+
2.2 MCP EXECUTION FragBench-Attack
+

An actor model executed fragments via MCP tools and a checker model validated the attack chain. All activity occured within a sandboxed environment.

+
+ +
+ +
+
+
+
+ + +
+
+
3. FRAGBENCH DEFENSE
+

FragBench-DefenseA graph-based classifier that identifies malicious intent by linking seemingly benign sessions.

+

The graph consists of nodes representing individual tool calls—each embedded with 121-dimensional metadata features—which are connected by five edge types: data flow, temporal, shared session, shared resource, and argument similarity.

+

By linking these tool calls using a weighted union-find algorithm, the system reconstructed the fragmented attack chain.

+ + +
+
FragBench Defense Detector Performance
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DetectorGCN
(sym-norm)
GraphSAGEGINGATMLP
(no graph)
SVM-RBFGBT
F10.9560.9480.9370.9360.9050.8810.878
Accuracy0.9470.9330.9160.9260.8610.8460.846
+ +
+

Across all evaluated campaigns, the GNN-based approaches consistently achieved relatively high FI and accuracy scores, suggesting that modeling cross-session relationships is significantly more effective than analyzing prompts in isolation.

+ +
+
+
RESULTS & DISCUSSION
+

Our experiments spanned 24 campaigns and over 25,000 fragments (comprising 100 variations per campaign at ~10.6 fragments each), utilized an RL-driven pipeline that improved attack success rates to as high as 99.1%.

+

This set of experiments involving over 640,000 tool calls in a sandboxed MCP environment, demonstrated that reinforcement learning effectively transforms rejected prompts into functional, evasive, decomposed attack chains.

+

Defensively, GNN-based models successfully identified these hidden patterns, with the GCN achieving a leading F1 score of 0.956.

+
+
+
LIMITATIONS & ETHICS
+

Our benign dataset is generated by Claude Sonnet 4.5 and may possess unmeasured statistical differences from malicious data. We mitigate misuse risks by modeling only well-publicized attacks and limiting access to our RL-driven bypass prompts.

+
+
+
+ + + + +
+ +