- The paper shows that LLM browser agents can be fingerprinted via behavioral UI traces, achieving up to 96% macro F1 in multi-class attribution tests.
- The study leverages a range of classifiers, notably XGBoost, applied to millisecond-level DOM event data to isolate temporal and structural features.
- The paper highlights security risks such as targeted adversarial attacks and content manipulation stemming from model-specific behavioral signatures.
Fingerprinting LLM Browser Agents via UI Traces: Attribution and Security Risks
Overview and Motivation
This study systematically demonstrates that the behavioral traces left by LLM-powered browser agents—specifically, sequences and timing of actions such as clicks, scrolls, and keypresses—provide a robust and model-specific fingerprint, allowing passive identification of the underlying foundation model. The authors position this as a novel attack surface: model attribution through UI trace analysis enables targeted exploitation by adversaries, circumventing spoofable browser attributes or headers, and provides practical strategies for agent-targeted attacks and content control. By instrumenting web environments with lightweight JavaScript trackers, classifiers trained on raw behavioral traces achieve up to 96% macro F1 across 14 frontier LLMs, including both proprietary and open-source variants.
Experimental Design and Methodology
The experiments are constructed around four web environments spanning information retrieval and e-commerce tasks, instrumented via a harness (Midscene.js) enforcing identical interface and action space for all agents. All session traces are collected at millisecond granularity using DOM event listeners, producing per-agent labeled corpora.
Five classifier families are benchmarked (Lasso, Logistic Regression, Random Forest, XGBoost, LSTM), with XGBoost consistently yielding superior identification performance. Behavioral features are extracted from each episode, encompassing event volume, global/inter-type timing statistics (e.g., Inter-Event Interval std, mean dwell time), action distributions, spatial statistics of clicks, navigation patterns, and structural ratios. The identification task is formalized both in closed-set (all agents known) and open-set (unknown agent detection) regimes. Robustness to active defense measures, such as randomized timing delays, is also empirically tested.
Main Results
- Closed-set attribution: Agents are highly identifiable via behavioral traces alone. XGBoost achieves up to 96.6% F1 for Seed-2.0-Lite and >90% for several other models across both retrieval and shopping environments (2605.14786). The mean macro F1 across 14 models remains >79.4% (Wikipedia), 75.3% (FRAMES), 74.2% (WebShop), and 72.6% (DeepShop), far above random-chance baseline (~7% for 14-way).
- Family-level attribution: Grouping by model family preserves strong identification, e.g., Seed-2 (family) at 95.9% F1 on FRAMES, Qwen3-VL (family) at 94.7% F1.
- Open-set detection: Unknown agents are consistently detectable above chance (AUROC >0.60 for the majority); however, closed-set F1 does not predict open-set detection—most notably, Seed-2.0-Lite is highly identifiable in closed-set but below chance in open-set. This orthogonality highlights structurally distinct behavioral signatures.
Analysis of Feature Importance
- Tempo as primary signal: Timing-based features (IEI statistics, time to first action) dominate agent identity in clean traces, as quantified via mean absolute SHAP values. Agents are distinguished chiefly by their interaction rhythm rather than the specific actions taken.
- Action features under temporal randomization: Injecting random delays sharply reduces classifier performance, but retraining on delayed traces restores robustness, with action-centered features (click coordinates dispersion, structural key ratio, link-click ratio) gaining prominence. Thus, interaction structure serves as a secondary, resilient fingerprint.
- Efficiency: Few traces (≤1/3 of dataset) suffice for peak classifier performance; agent identity can be inferred rapidly within a session (first 40% of actions), enabling real-time attribution.
Transfer and Generalizability
- Task/site-conditioned fingerprints: Attribution transfer across distinct tasks within the same website is weak, but pooling traces across tasks recovers strong site-level performance. Cross-site transfer remains weak (F1 <30%), indicating lack of universal task-invariant signatures.
Capability-Identifiability Dissociation
- There is no statistically significant correlation between agent task capability (e.g., accuracy on FRAMES) and identifiability (Pearson r=0.14, p=0.63; Spearman p=0.05, p=0.85), affirming that behavioral fingerprints are orthogonal to performance and shaped by the model's interaction architecture.
Security Implications and Attack Surfaces
The ability to attribute agent identity via passive behavioral trace introduces several new threats:
- Model-specific prompt injection: Adversaries can selectively deploy jailbreaks or prompt manipulations tailored to known model vulnerabilities, efficiently bypassing generic black-box probing.
- Adversarial cost inflation: Sponge attacks can be targeted at models known to exhibit high token consumption, escalating user inference cost.
- Agent-specific access control: Sites may implement blacklisting, whitelisting, or content poisoning based on agent identity, potentially serving misleading or malicious content invisible to auditors using alternative models.
Notably, passive fingerprinting is stealthy—the agent remains unaware of being identified, and adaptive retraining obviates the need for static classifiers. Pooling traces from diverse tasks on a single site further strengthens attribution, facilitating continuous enrollment of new models.
Practical and Theoretical Implications
This work reframes the adversarial and cooperative landscape for LLM-based web agents. The operative axis for web security is no longer human versus bot detection, but fine-grained model attribution. As agent deployment scales, every page visit becomes an attribution event, and web infrastructure must be architected around agent-aware defenses, adaptive adversary protocols, and behavioral obfuscation techniques.
Theoretically, behavioral fingerprinting exploits emergent temporal and structural regularities induced by model internals and planning strategies. Future work should explore harness-invariant signals, robust obfuscation defenses, and flexible browsers supporting both HTML parsing and vision-based reasoning.
Conclusion
The paper establishes that behavioral UI traces of LLM agents constitute a highly identifying signal, with up to 96% macro F1 in multi-class attribution tasks. Identification is efficient, emerges early in the session, and is resilient to naive temporal randomization upon classifier retraining. This enables targeted exploitation, adversarial cost inflation, and agent-specific content routing, fundamentally altering the threat and engineering landscape for LLM-agent deployment. As agents become ubiquitous web clients, their behavioral fingerprints demand the same scrutiny as LLM internals, necessitating agent-aware web infrastructure and defenses (2605.14786).