Papers
Topics
Authors
Recent
Search
2000 character limit reached

UNSEEN: A Cross-Stack LLM Unlearning Defense against AR-LLM Social Engineering Attacks

Published 25 Apr 2026 in cs.CR and cs.AI | (2604.23141v1)

Abstract: Emerging AR-LLM-based Social Engineering attack (e.g., SEAR) is at the edge of posing great threats to real-world social life. In such AR-LLM-SE attack, the attacker can leverage AR (Augmented Reality) glass to capture the image and vocal information of the target, using the LLM to identify the target and generate the social profile, using the LLM agents to apply social engineering strategies for conversation suggestion to win the target trust and perform phishing afterwards. Current defensive approaches, such as role-based access control or data flow tracking, are not directly applicable to the convergent AR-LLM ecosystem (considering embedded AR device and opaque LLM inference), leaving an emerging and potent social engineering threat that existing privacy paradigms are ill-equipped to address. This necessitates a shift beyond solely human-centric measures like legislation and user education toward enforceable vendor policies and platform-level restrictions. Realizing this vision, however, faces significant technical challenges: securing resource-constrained AR-embedded devices, implementing fine-grained access control within opaque LLM inferences, and governing adaptive interactive agents. To address these challenges, we present UNSEEN, a coordinated cross-stack defense that combines an AR ACL (Access Control Layer) for identity-gated sensing, F-RMU-based LLM unlearning for sensitive profile suppression, and runtime agent guardrails for adaptive interaction control. We evaluate UNSEEN in an IRB-approved user study with 60 participants and a dataset of 360 annotated conversations across realistic social scenarios.

Summary

  • The paper presents a cross-stack defense architecture (UNSEEN) that integrates identity-gated AR ACL, F-RMU targeted unlearning, and adaptive agent guardrails to mitigate AR-LLM social engineering attacks.
  • It introduces a novel F-RMU mechanism employing Fisher-weighted sensitivity localization and structured sparse residual adaptation to precisely erase attacker-useful identity features while preserving overall model capabilities.
  • Experimental evaluations demonstrate over a 61% reduction in high-risk response rates, proving that UNSEEN effectively disrupts adversarial manipulation without impacting pipeline latency.

UNSEEN: Cross-Stack Defense Architecture for AR-LLM Social Engineering

Motivation and Threat Landscape

The convergence of Augmented Reality (AR) and LLMs enables sophisticated digital threats. AR-LLM-based Social Engineering (SE) attacks exploit AR devices for surreptitious capture of visual/auditory cues, with LLM-powered profiling and agentic conversation manipulation. Adversaries can leverage AR glasses to extract rich multimodal data, construct detailed social profiles, and adaptively deploy phishing strategies. This cross-layer pipeline bypasses traditional single-layer privacy controls, making it a potent risk vector for real-world social interactions, where upstream device constraints, opaque downstream model inference, and brittle conversational guardrails are systematically evaded. Figure 1

Figure 1: AR-LLM Social Engineering pipeline with above: attack vectors, below: full-stack UNSEEN containment.

UNSEEN is proposed as a cross-stack defense precisely aligned with the attack's three-stage pipeline (AR sensing, LLM inference, agentic interaction). Unlike device-side permission models or output-side filtering, UNSEEN integrates identity-gated AR ACL, LLM-layer targeted unlearning (F-RMU), and agent-level adaptive guardrails to jointly restrict acquisition, inference, and release of sensitive content.

F-RMU: LLM Unlearning for Sensitive Profile Suppression

Figure 2

Figure 2: F-RMU framework highlighting coupled geometry-sensitive importance localization and sparsity-driven residual adaptation.

UNSEEN's core LLM-layer defense implements the Fisher-weighted Sparse Representation Misalignment (F-RMU) mechanism to erase attacker-useful identity concepts from multimodal model representations. The approach targets only the neurons critical for encoding sensitive profile attributes while preserving general capabilities.

The method proceeds as follows:

  • Geometric Sensitivity Localization: For vision features, it leverages Integrated Fisher Information (IFI) to measure neuron importance via curvature over the optimization manifold. For textual projection layers, integrated gradients identify high-contribution neurons.
  • Structured Sparse Residual Adaptation: Instead of low-rank LoRA updates, F-RMU constructs column-wise sparse residuals (PartialLinear). Only top-k sensitive neurons are trainable, starting from zero-initialized weights for optimization stability and lossless merge into the backbone. Figure 3

    Figure 3: Fisher-weighted metric identifies sparse, highly structured neuron importance regions, contrasting with diffuse gradient noise.

  • Representation Misalignment Optimization: Targeted unlearning is achieved via a dual Huber loss: the student model maps forget samples to random manifold directions (obfuscation) and distills retain samples to match teacher activations (capability preservation).
  • Feature Manifold Transformation: t-SNE visualization confirms, post F-RMU, that embeddings of the protected identity are exploded into a high-entropy distribution, rendering semantic inversion infeasible, while non-target identities remain invariant. Figure 4

    Figure 4: t-SNE of embeddings pre- and post-F-RMU: target identity (red) obfuscated, retained identity (blue) preserved.

Theoretical and empirical analyses demonstrate that F-RMU achieves precise concept-level erasure without catastrophic forgetting, with robust optimization stability in high-dimensional multimodal spaces.

AR ACL and Agent Guardrails

UNSEEN augments LLM-layer suppression via coordinated external controls.

AR ACL (Access Control Layer):

  • Enforces identity-gated sensing on resource-constrained AR hardware.
  • Implements open-set verification using cosine similarity between detected embeddings and a whitelist, rejecting unauthorized signal capture with parametrized thresholds.
  • Employs efficient deployment pipelines (MediaPipe BlazeFace, MobileFaceNet) meeting edge latency requirements.

Agent Guardrails:

  • Real-time release layer constrains adaptive multi-turn outputs, blocking leakage of protected identities.
  • Context-based dynamic policy determines when to sanitize, reject, or pass agent responses, with protection labels for person entities and adaptive thresholds for profile similarity ACL, resilient against lexical variants and indirect references.
  • Maintains safety invariants across all turns, guaranteeing exclusion of protected concepts from agent behavior.

Experimental Evaluation

UNSEEN is evaluated in IRB-approved studies (60 participants, 360 annotated real-world conversations) under attack (SEAR baseline) and defense (UNSEEN, full/ablation).

  • Effectiveness: UNSEEN reduces attack success probabilities across phishing channels—mean scores dropped from SEAR's baseline (4.30 for photo links, 4.37 for social apps, 4.32 for SMS, 4.18 for calls) to under 1.70, with >61% reduction in high-risk responses. Responses shift from likely compliance to likely rejection.
  • Latency: Despite added AR ACL and Guardrail steps, overall pipeline latency is not increased; in fact, UNSEEN is slightly faster due to architectural optimizations in profile suppression.
  • Ablation Study: Removing individual components of UNSEEN (Agent Guardrail, LLM Unlearn, AR ACL) produces monotonic increases in attack success, with full-stack defense delivering the lowest susceptibility score (1.12), and AR ACL removal causing the greatest degradation. Figure 5

    Figure 5: Ablation study: social experience scores increase as UNSEEN modules are removed, showing module-wise impact.

  • Subjective Impact: UNSEEN disrupts attack-induced social engineering mechanisms—participant ratings across dimensions like comfort, relevance, naturalness, sincerity, depth, and future intent drop by 55–65%. The defense breaks persuasive rapport formation and sustained manipulation. Figure 6

    Figure 6: Comparison of subjective experiences: UNSEEN sharply reduces perceived naturalness, comfort, and trust versus SEAR.

Implications and Future Directions

UNSEEN establishes a formal cross-stack containment strategy for AR-LLM social engineering, aligning defense architecture with attack pipelines to mitigate real-world risk. Practically, it provides a deployable policy template for AR vendors and LLM platforms, integrating layered technical controls beyond user education or legislative measures. The F-RMU mechanism introduces a principled approach to concept-specific unlearning in multimodal models, scalable to future adversarial adaptation.

Theoretically, UNSEEN's methodology suggests a broader paradigm for handling emergent cross-modal threats, where privacy risks propagate across sensing, inference, and interaction layers. Research opportunities include extending sparse unlearning to distributed federated deployments, formal verification of guardrail policies over adaptive agent frameworks, and integration of context-aware open-set entity recognition for AR hardware.

Conclusion

UNSEEN delivers a coordinated cross-stack defense against AR-LLM social engineering attacks, combining identity-gated AR controls, targeted multimodal unlearning, and adaptive agent guardrails. The system achieves robust suppression (>61% reduction in attack success) without increased latency, and its defense emerges from the synergy of all three layers. UNSEEN sets an architectural foundation for secure AR-LLM ecosystems, representing a significant advance in technique and policy for cyber-physical privacy protection (2604.23141).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.