Rerouteguard Achieves 99% Mitigation of Adversarial Risks for LLM Routing

Researchers are increasingly concerned with the security of large language model (LLM) routing systems, which direct queries to the most suitable model in multi-modal setups. Wenhui Zhang, Huiyu Xu, and Zhibo Wang from Zhejiang University, alongside Zhichao Li, Zeqing He, and Xuelin Wei from Southeast University et al., have identified a critical vulnerability: LLM rerouting attacks, where malicious prompts manipulate routing decisions. This research is significant because it systematically analyses these threats , encompassing cost escalation, quality degradation, and guardrail bypass , and demonstrates the susceptibility of current systems. The team then introduces RerouteGuard, a novel framework achieving over 99% accuracy in detecting rerouting attacks with minimal disruption to normal use, offering a practical solution to protect these increasingly prevalent multi-model systems.

LLM Rerouting Vulnerabilities and Adversarial Threats pose significant

Scientists have demonstrated a critical vulnerability in multi-model AI systems employing LLM routers, revealing that these systems are susceptible to adversarial attacks known as LLM rerouting. This research bridges a significant gap in understanding the security implications of these routing systems, which are designed to optimise computational cost and response quality by assigning queries to the most appropriate large language model. This work establishes a clear understanding of how attackers manipulate these systems and the potential consequences of successful attacks. RerouteGuard operates by filtering adversarial prompts using dynamic embedding-based detection and adaptive thresholding, effectively identifying and blocking malicious inputs before they can manipulate the routing process. This breakthrough has significant implications for companies like Replicated and OpenAI, who are already leveraging LLM routing to optimise performance and reduce costs, with estimates suggesting potential savings of up to $1.86 billion per year.

LLM Rerouting Attacks and System Vulnerabilities pose significant

Scientists investigated vulnerabilities in multi-model systems employing LLM routers, focusing on a novel attack vector termed LLM rerouting. To quantify these threats, experiments employed real-world LLM routing systems subjected to existing rerouting attacks, revealing significant susceptibility, particularly in cost escalation scenarios. Results demonstrated that current routing systems can be manipulated, leading to increased computational expense without corresponding gains in response quality. These gadgets, prepended to user queries, effectively force misrouting by subtly altering the input.

The study pioneered RerouteGuard, a flexible and scalable guardrail framework designed to mitigate these risks. RerouteGuard filters adversarial prompts using dynamic embedding-based detection coupled with adaptive thresholding, enabling it to distinguish between legitimate and malicious queries. The team engineered a contrastive learning approach within RerouteGuard to enhance detection accuracy. Crucially, this performance was achieved while maintaining a negligible impact on the processing of legitimate queries. Experiments involved modelling an LLM system comprising a stronger model (Ms) and a weaker model (Mw), a configuration assumed to be known to the adversary.

The attack objective was formally defined as maximising the probability of rerouting to a target model, achieved by crafting trigger strings and concatenating them with user queries. Adversary knowledge was varied, full, partial, or none, regarding model weights and routing mechanisms, allowing for a comprehensive assessment of RerouteGuard’s robustness under different threat conditions. This methodology enabled the team to demonstrate a 100% detection rate in some scenarios, with an average false positive rate below 2.5%.

LLM routing vulnerable to adversarial rerouting attacks

Experiments revealed that existing routing systems are particularly vulnerable to cost escalation attacks, where adversaries force the selection of more expensive models for simple tasks. These attacks utilise “confounder gadgets”, carefully designed prefixes, to misdirect the router and force selection of a suboptimal model. Data shows that these triggers effectively manipulate the router’s classification process, leading to unintended model assignments. Researchers characterised the attacks by analysing how these prefixes influence the router’s internal logic, pinpointing the specific mechanisms driving misrouting.

RerouteGuard employs dynamic embedding-based detection coupled with adaptive thresholding to identify malicious inputs. Specifically, the framework consistently identified and blocked adversarial prompts designed to force the use of weaker, less secure models, thereby preserving both computational efficiency and response integrity. The experimental results indicate that RerouteGuard offers a principled and scalable approach to enhancing the security of LLM-based applications.

LLM Rerouting Attacks Bypass Routing Systems with subtle

Researchers systematically characterised these threats, considering adversary objectives and knowledge levels, and conducted a measurement study on real-world routing systems. To address this, the team developed RerouteGuard, a guardrail framework that uses dynamic embedding-based detection and adaptive thresholding to filter adversarial prompts. The authors acknowledge limitations in the scope of evaluated routers and attack methods, suggesting future research could explore broader system architectures and more sophisticated attack strategies. Further investigation into the generalizability of RerouteGuard to diverse LLM types and deployment scenarios is also warranted, as is exploration of methods to enhance its robustness against adaptive adversaries. The presented research contributes a crucial understanding of a previously underexplored security risk and offers a promising defence mechanism for increasingly prevalent multi-model LLM systems.