- The paper presents a cross-stack defense architecture (UNSEEN) that integrates identity-gated AR ACL, F-RMU targeted unlearning, and adaptive agent guardrails to mitigate AR-LLM social engineering attacks.
- It introduces a novel F-RMU mechanism employing Fisher-weighted sensitivity localization and structured sparse residual adaptation to precisely erase attacker-useful identity features while preserving overall model capabilities.
- Experimental evaluations demonstrate over a 61% reduction in high-risk response rates, proving that UNSEEN effectively disrupts adversarial manipulation without impacting pipeline latency.
UNSEEN: Cross-Stack Defense Architecture for AR-LLM Social Engineering
Motivation and Threat Landscape
The convergence of Augmented Reality (AR) and LLMs enables sophisticated digital threats. AR-LLM-based Social Engineering (SE) attacks exploit AR devices for surreptitious capture of visual/auditory cues, with LLM-powered profiling and agentic conversation manipulation. Adversaries can leverage AR glasses to extract rich multimodal data, construct detailed social profiles, and adaptively deploy phishing strategies. This cross-layer pipeline bypasses traditional single-layer privacy controls, making it a potent risk vector for real-world social interactions, where upstream device constraints, opaque downstream model inference, and brittle conversational guardrails are systematically evaded.
Figure 1: AR-LLM Social Engineering pipeline with above: attack vectors, below: full-stack UNSEEN containment.
UNSEEN is proposed as a cross-stack defense precisely aligned with the attack's three-stage pipeline (AR sensing, LLM inference, agentic interaction). Unlike device-side permission models or output-side filtering, UNSEEN integrates identity-gated AR ACL, LLM-layer targeted unlearning (F-RMU), and agent-level adaptive guardrails to jointly restrict acquisition, inference, and release of sensitive content.
F-RMU: LLM Unlearning for Sensitive Profile Suppression
Figure 2: F-RMU framework highlighting coupled geometry-sensitive importance localization and sparsity-driven residual adaptation.
UNSEEN's core LLM-layer defense implements the Fisher-weighted Sparse Representation Misalignment (F-RMU) mechanism to erase attacker-useful identity concepts from multimodal model representations. The approach targets only the neurons critical for encoding sensitive profile attributes while preserving general capabilities.
The method proceeds as follows:
- Geometric Sensitivity Localization: For vision features, it leverages Integrated Fisher Information (IFI) to measure neuron importance via curvature over the optimization manifold. For textual projection layers, integrated gradients identify high-contribution neurons.
- Structured Sparse Residual Adaptation: Instead of low-rank LoRA updates, F-RMU constructs column-wise sparse residuals (PartialLinear). Only top-k sensitive neurons are trainable, starting from zero-initialized weights for optimization stability and lossless merge into the backbone.
Figure 3: Fisher-weighted metric identifies sparse, highly structured neuron importance regions, contrasting with diffuse gradient noise.
- Representation Misalignment Optimization: Targeted unlearning is achieved via a dual Huber loss: the student model maps forget samples to random manifold directions (obfuscation) and distills retain samples to match teacher activations (capability preservation).
- Feature Manifold Transformation: t-SNE visualization confirms, post F-RMU, that embeddings of the protected identity are exploded into a high-entropy distribution, rendering semantic inversion infeasible, while non-target identities remain invariant.
Figure 4: t-SNE of embeddings pre- and post-F-RMU: target identity (red) obfuscated, retained identity (blue) preserved.
Theoretical and empirical analyses demonstrate that F-RMU achieves precise concept-level erasure without catastrophic forgetting, with robust optimization stability in high-dimensional multimodal spaces.
AR ACL and Agent Guardrails
UNSEEN augments LLM-layer suppression via coordinated external controls.
AR ACL (Access Control Layer):
- Enforces identity-gated sensing on resource-constrained AR hardware.
- Implements open-set verification using cosine similarity between detected embeddings and a whitelist, rejecting unauthorized signal capture with parametrized thresholds.
- Employs efficient deployment pipelines (MediaPipe BlazeFace, MobileFaceNet) meeting edge latency requirements.
Agent Guardrails:
- Real-time release layer constrains adaptive multi-turn outputs, blocking leakage of protected identities.
- Context-based dynamic policy determines when to sanitize, reject, or pass agent responses, with protection labels for person entities and adaptive thresholds for profile similarity ACL, resilient against lexical variants and indirect references.
- Maintains safety invariants across all turns, guaranteeing exclusion of protected concepts from agent behavior.
Experimental Evaluation
UNSEEN is evaluated in IRB-approved studies (60 participants, 360 annotated real-world conversations) under attack (SEAR baseline) and defense (UNSEEN, full/ablation).
- Effectiveness: UNSEEN reduces attack success probabilities across phishing channels—mean scores dropped from SEAR's baseline (4.30 for photo links, 4.37 for social apps, 4.32 for SMS, 4.18 for calls) to under 1.70, with >61% reduction in high-risk responses. Responses shift from likely compliance to likely rejection.
- Latency: Despite added AR ACL and Guardrail steps, overall pipeline latency is not increased; in fact, UNSEEN is slightly faster due to architectural optimizations in profile suppression.
- Ablation Study: Removing individual components of UNSEEN (Agent Guardrail, LLM Unlearn, AR ACL) produces monotonic increases in attack success, with full-stack defense delivering the lowest susceptibility score (1.12), and AR ACL removal causing the greatest degradation.
Figure 5: Ablation study: social experience scores increase as UNSEEN modules are removed, showing module-wise impact.
- Subjective Impact: UNSEEN disrupts attack-induced social engineering mechanisms—participant ratings across dimensions like comfort, relevance, naturalness, sincerity, depth, and future intent drop by 55–65%. The defense breaks persuasive rapport formation and sustained manipulation.
Figure 6: Comparison of subjective experiences: UNSEEN sharply reduces perceived naturalness, comfort, and trust versus SEAR.
Implications and Future Directions
UNSEEN establishes a formal cross-stack containment strategy for AR-LLM social engineering, aligning defense architecture with attack pipelines to mitigate real-world risk. Practically, it provides a deployable policy template for AR vendors and LLM platforms, integrating layered technical controls beyond user education or legislative measures. The F-RMU mechanism introduces a principled approach to concept-specific unlearning in multimodal models, scalable to future adversarial adaptation.
Theoretically, UNSEEN's methodology suggests a broader paradigm for handling emergent cross-modal threats, where privacy risks propagate across sensing, inference, and interaction layers. Research opportunities include extending sparse unlearning to distributed federated deployments, formal verification of guardrail policies over adaptive agent frameworks, and integration of context-aware open-set entity recognition for AR hardware.
Conclusion
UNSEEN delivers a coordinated cross-stack defense against AR-LLM social engineering attacks, combining identity-gated AR controls, targeted multimodal unlearning, and adaptive agent guardrails. The system achieves robust suppression (>61% reduction in attack success) without increased latency, and its defense emerges from the synergy of all three layers. UNSEEN sets an architectural foundation for secure AR-LLM ecosystems, representing a significant advance in technique and policy for cyber-physical privacy protection (2604.23141).