Papers
Topics
Authors
Recent
Search
2000 character limit reached

Intention-Hiding Attacks in Adversarial ML

Updated 6 July 2026
  • Intention-hiding attacks are adversarial strategies that conceal malicious intent behind benign actions to bypass detection across various security-critical systems.
  • They leverage methods from probabilistic planning, multi-turn jailbreaks, and code obfuscation to merge harmful payloads with seemingly legitimate operations.
  • Recent defenses employ bidirectional inference and deception techniques, yet scalability issues persist as attackers exploit temporal and representational vulnerabilities.

Searching arXiv for papers on intention-hiding attacks across LLMs, adversarial ML, and related security settings. arXiv search query: "intention hiding attack LLM obfuscation deception" Intention-hiding attacks are adversarial strategies that conceal a malicious goal, objective, or side channel behind behavior that appears benign, legitimate, or task-consistent to an observer. The literature uses closely related terms including intention deception, intent obfuscation, concealment of intent, intent shift, and intention-hiding malicious agents. Across these formulations, the core mechanism is consistent: the attacker seeks to satisfy an attack objective while keeping the defender’s belief within a benign hypothesis class, whether the observer is a safety-aligned LLM, a compiler reviewer, a PDF signer, a detector analyst, or a partially observing defender in a stochastic control setting (Fu, 2022, Wu et al., 27 May 2025, Tong et al., 25 Sep 2025, Boucher et al., 2021, Popescu, 2012).

1. Conceptual scope

In probabilistic planning, intention deception is defined as computing a strategy that deceives the opponent into a wrong belief about the agent’s intention or objective, while still reaching target states and avoiding unsafe states almost surely in an MDP monitored by a defender with partial observations (Fu, 2022). In multi-turn LLM jailbreaks, the same idea appears as malicious intent that is progressively concealed through tactical manipulation, so that simple single-turn defenses remain ineffective until the final turn (Tong et al., 25 Sep 2025). In adversarial prompting for aligned models, malicious intent is concealed through the composition of benign “skills,” such as metaphor or negotiation, so that prompt and response filters allocate capacity inefficiently (Wu et al., 27 May 2025). In software artifacts, an intention-hiding attack can instead be a representational mismatch: a source sequence or document is displayed as benign to a human reviewer or signer, while the compiler or alternative file interpreter executes or renders a different semantic object (Boucher et al., 2021, Popescu, 2012).

This breadth is important because the attack family is not tied to any single substrate. The hidden object may be an action plan, a harmful request, a backdoor trigger, a target object in a detector, a sensitive attribute encoded into logits, or a covertly malicious agent in an LLM-based multi-agent system. What unifies these cases is not the payload but the concealment relation between outward evidence and underlying objective (Li et al., 2024, Malekzadeh et al., 2021, Xie et al., 7 Jul 2025).

A recurrent misconception is that intention hiding is merely “prompt obfuscation.” The record is wider. It includes adversarial examples on object detectors that perturb a different, non-overlapping object to hide the true target (Li et al., 2024), hidden attackers in ICS that imitate legitimate sensor readings during a prolonged hiding phase (Sourav et al., 2023), and polymorphic PDF/TIFF files that invalidate the WYSIWYS assumption without changing signed bits (Popescu, 2012).

2. Formalizations of concealment

Several papers make concealment explicit in formal criteria rather than treating it as an informal evasion property.

Setting Concealment criterion Source
Multi-turn jailbreaks i<T:mi<δ\forall i<T: m_i<\delta but J(RT,G)=1J(R'_T,G)=1 (Tong et al., 25 Sep 2025)
MDP intention deception attacker reaches φ1\varphi_1 almost surely while each attacker history has an observation-equivalent legitimate-user counterpart (Fu, 2022)
Trojan Source Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S)) (Boucher et al., 2021)
HBC classifiers high honesty δy\delta^y and high curiosity δs\delta^s from the same released output vector (Malekzadeh et al., 2021)
LLM-MAS sabotage maximize ΔAλD(am)\Delta A-\lambda D(a_m) under low behavioral deviation (Xie et al., 7 Jul 2025)

For multi-turn jailbreaks, the hidden-goal formulation is particularly direct. If an adversary with hidden goal GG crafts a chain C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G), then the model’s latent malicious-intent probability mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0) drifts slowly upward. An intention-hiding attack is one for which each J(RT,G)=1J(R'_T,G)=10 remains below a single-turn threshold J(RT,G)=1J(R'_T,G)=11 before the final turn, yet the final response satisfies the binary success indicator J(RT,G)=1J(R'_T,G)=12 (Tong et al., 25 Sep 2025). This turns concealment into a sequential calibration failure.

In the MDP setting, the key object is an augmented belief-product state J(RT,G)=1J(R'_T,G)=13, where J(RT,G)=1J(R'_T,G)=14 is the true state and J(RT,G)=1J(R'_T,G)=15 is the defender’s belief under the rational-user assumption. The attacker must satisfy a reach-avoid objective J(RT,G)=1J(R'_T,G)=16 almost surely while ensuring that every observed history remains compatible with some almost-sure winning legitimate-user strategy for J(RT,G)=1J(R'_T,G)=17 (Fu, 2022). Concealment is thus equivalent to keeping the defender’s feasible belief set non-empty.

The HBC formulation shows that intention hiding can also be output-channel design. A semi-trusted server provides a classifier J(RT,G)=1J(R'_T,G)=18 that appears honest on target attribute J(RT,G)=1J(R'_T,G)=19, but the server secretly applies a second mapping φ1\varphi_10 to infer a sensitive attribute φ1\varphi_11. The paper writes honesty as φ1\varphi_12 and curiosity as φ1\varphi_13, then frames training through an Information Bottleneck objective that simultaneously preserves target prediction and sensitive-attribute leakage (Malekzadeh et al., 2021). Here the “hidden intention” is privacy extraction rather than visible task degradation.

3. Prompt- and dialogue-level attacks on LLMs

Prompt-level intention hiding has developed along at least three distinct lines. First, the game-theoretic line models adversarial prompting as concealment of malicious intent through benign skill composition. The attacker mixes intent φ1\varphi_14 with skills φ1\varphi_15 using a fixed encoder φ1\varphi_16, while the defender allocates finite prompt-and-response filtering capacity across intent-skill combinations. In this model, the equilibrium value is φ1\varphi_17, achieved when the attacker spreads uniformly over skills and the defender spreads capacity proportionally to the intent prior (Wu et al., 27 May 2025). As the skill set grows, defender capacity is diluted; the paper further states that mixing two skills replaces the relevant denominator by φ1\varphi_18, making defense harder to scale (Wu et al., 27 May 2025).

Second, ISA reframes harmful requests through minimal linguistic transformations rather than large prompt scaffolds. The attack defines φ1\varphi_19 and is successful when the model generates harmful content while its internal intent judgment flips from harmful to benign, Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))0 (Ding et al., 1 Nov 2025). The reported taxonomy contains five shifts: Person Shift, Tense Shift, Voice Shift, Mood Shift, and Question Shift. On AdvBench, the best-shift ASR is listed as Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))1 for Qwen-2.5, Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))2 for Llama-3.1, Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))3 for GPT-4.1, Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))4 for Claude-4-Sonnet, and Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))5 for DeepSeek-R1, with gains of over Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))6 relative to direct harmful prompts in the headline summary (Ding et al., 1 Nov 2025). The same paper reports that fine-tuning Qwen-2.5 and Llama-3.1 on only benign ISA-style data elevates success rates to nearly Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))7 on held-out malicious prompts after ISA (Ding et al., 1 Nov 2025).

Third, multi-turn attacks exploit temporal decomposition. BIID was proposed precisely because conventional defenses focused on single-turn attacks, whereas multi-turn jailbreaks conceal malicious intent across turns. BIID interposes a forward request-based inference score Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))8 and a backward response-based retrospection score Semantics(fdisplay(S))Semantics(fcompile(S))\mathrm{Semantics}(f_{display}(S)) \neq \mathrm{Semantics}(f_{compile}(S))9, with one fusion rule δy\delta^y0 (Tong et al., 25 Sep 2025). The paper reports evaluation on Llama-3.1-8B-Instruct, Llama-3.3-70B-Instruct, and Qwen3-8B, across AIM, BetterDAN, GCG, ICA, Future-tense, Past-tense, PAIR, RandomSearch, Crescendo, and ActorAttack, using JailBreakBench, HarmBench, MHJ, SafeDialBench, and CoSafe (Tong et al., 25 Sep 2025). It states that BIID drives ASR to approximately δy\delta^y1–δy\delta^y2 on every attack/model combination, reduces MHJ ASR from approximately δy\delta^y3 with no defense to below δy\delta^y4, and retains greater than δy\delta^y5 win-rate on AlpacaEval (Tong et al., 25 Sep 2025).

The same concealment logic extends from single-model prompting to collaborative systems. In LLM-based multi-agent systems, one malicious agent can remain role-consistent and fluent while subtly biasing group reasoning through Suboptimal Fixation, Reframing Misalignment, Fake Injection, or Execution Delay (Xie et al., 7 Jul 2025). The objective is written as maximizing δy\delta^y6, with concealment operationalized by a low deviation score δy\delta^y7 across HEXACO dimensions (Xie et al., 7 Jul 2025). This shows that intention hiding in LLM systems is not restricted to user-model interaction; it also arises in agent-agent coordination.

4. Manifestations beyond prompting

Software supply-chain security provides a canonical non-LLM instance. Trojan Source attacks exploit Unicode bidirectional control characters so that source code appears different to a compiler and to the human eye. The paper formalizes a source file δy\delta^y8 as feeding two interpreters, δy\delta^y9 and δs\delta^s0, and defines an intention-hiding attack by the inequality δs\delta^s1 (Boucher et al., 2021). The listed control characters include U+202A, U+202B, U+202D, U+202E, U+202C, U+2066, U+2067, and U+2069, and the paper demonstrates working examples in C, C++, C#, JavaScript, Java, Rust, Go, Python, SQL, Bash, Assembly, and Solidity (Boucher et al., 2021). Here concealment exploits differential interpretation rather than statistical misclassification.

Document security exhibits an analogous split between displayed and signed content. The PDF/TIFF polymorphism attack constructs a single file δs\delta^s2 that is simultaneously a valid PDF and a valid TIFF, so that a signer sees only the PDF rendering while the hidden TIFF content is still signed (Popescu, 2012). After signing, the attacker changes only the filename extension; since the bit-string is unchanged, signature verification still succeeds. The paper frames this as a proof-of-concept against WYSIWYS and notes substantial destructive potential in e-government and e-business settings (Popescu, 2012).

In computer vision, intent obfuscation was introduced for object detectors by perturbing another non-overlapping object to disrupt the target object, thereby hiding the intended target (Li et al., 2024). The attacker modifies only pixels in a perturbation region δs\delta^s3 with δs\delta^s4, solving iterative PGD under δs\delta^s5 and δs\delta^s6 (Li et al., 2024). On 5,000 held-out COCO 2017 test images and five detectors—YOLOv3, SSD, RetinaNet, Faster R-CNN, and Cascade R-CNN—the paper reports targeted and untargeted success across all models. At δs\delta^s7, δs\delta^s8, IoU/confidence threshold δs\delta^s9, vanishing success is approximately ΔAλD(am)\Delta A-\lambda D(a_m)0 for YOLOv3, ΔAλD(am)\Delta A-\lambda D(a_m)1 for SSD, ΔAλD(am)\Delta A-\lambda D(a_m)2 for RetinaNet, ΔAλD(am)\Delta A-\lambda D(a_m)3 for Faster R-CNN, and ΔAλD(am)\Delta A-\lambda D(a_m)4 for Cascade R-CNN (Li et al., 2024). The paper also explicitly links the off-target perturbation to “plausible deniability” (Li et al., 2024).

Critical infrastructure introduces a hiding phase centered on sensor impersonation. The ICS work studies an off-path false-data-injection attacker that first makes the original sensor’s readings unavailable and then impersonates that sensor with legitimate-looking fake readings over a prolonged interval ΔAλD(am)\Delta A-\lambda D(a_m)5 (Sourav et al., 2023). The defender injects keyed micro-distortions ΔAλD(am)\Delta A-\lambda D(a_m)6 with ΔAλD(am)\Delta A-\lambda D(a_m)7, either digitally via LSB overwriting or physically via a small actuated perturbation, and detects whether the received sequence matches the secret distortion process (Sourav et al., 2023). For the digital method, the paper gives ΔAλD(am)\Delta A-\lambda D(a_m)8 under random guessing; for the physical mode, it proposes the Filtered-ΔAλD(am)\Delta A-\lambda D(a_m)9-Mean-Difference statistic with GG0 under no attack and approximately GG1 under attack (Sourav et al., 2023).

Privacy leakage through model outputs is another non-obvious instance. HBC classifiers can be accurate in predicting their target attribute while also exploiting their outputs to secretly encode a sensitive attribute, even when users have a full white-box view of the classifier and only release the output vector (Malekzadeh et al., 2021). On CelebA “Smiling vs. Male,” the summary reports that a standard classifier has GG2 and GG3, while Soft-HBC with GG4 yields GG5 and GG6 (Malekzadeh et al., 2021). The same paper reports that a standard classifier’s outputs are near chance for sensitive-attribute recovery in some cases, whereas HBC outputs carry a robust side channel (Malekzadeh et al., 2021).

Sequence backdoors in finance represent yet another manifestation. A 2023 study on transaction sequences describes a method to introduce concealed backdoors into event-sequence models without altering their functionality for uncontaminated data, and identifies attacks with an additional supervised detection step during test time or well-hidden model weight modifications as particularly difficult to uncover (Ermilova et al., 2023). The abstract reports experiments on three open transaction datasets and three architectures—LSTM, CNN, and Transformer—and notes that alternative methods such as distillation-type regularization were explored but found less efficient (Ermilova et al., 2023).

5. Detection and defense strategies

A common defensive pattern is to reintroduce observability for the hidden variable. In multi-turn LLM safety, BIID does this by pairing forward request-based intention inference with backward response-based intention retrospection, with thresholds calibrated to keep false-positive rate at or below GG7 on benign dialogues (Tong et al., 25 Sep 2025). The ablation results are structurally revealing: forward-only catches approximately GG8 of multi-turn attacks, backward-only catches approximately GG9, and full bidirectional inference catches more than C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)0 of cases (Tong et al., 25 Sep 2025). This indicates that concealment can be distributed across both prompts and generated responses.

ISA evaluates both training-free and training-based mitigations. The reported prompt-based defenses are Intent-Aware Defense and Output Harm-Aware Defense, and the training-based defense is supervised fine-tuning on ISA-shifted harmful and benign examples with an explicit two-part format: “Intent Analysis” and “Policy-aligned Response” (Ding et al., 1 Nov 2025). On Qwen-2.5, GPT-4.1, and DeepSeek-R1, the table reports that Intent-Aware Defense reduces ASR to C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)1, C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)2, and C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)3, while Output Harm-Aware reduces it to C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)4, C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)5, and C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)6; the fine-tuned Qwen-2.5 reaches C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)7 ASR but with C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)8 refusal on XSTest (Ding et al., 1 Nov 2025). The paper explicitly frames this as a safety–utility trade-off.

The game-theoretic line proposes a different countermeasure: misleading the attacker. Instead of merely hardening weak intent-skill combinations, the defender fabricates a performance table C={P1,,PT}=Amulti(G)C=\{P'_1,\dots,P'_T\}=A_{multi}(G)9 so that a safe combination appears weak and attracts attacker probing, then allocates capacity to that trap (Wu et al., 27 May 2025). The resulting equilibrium payoff is reported as

mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)0

with Theorem 4 stating mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)1 under the practical constraint mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)2 (Wu et al., 27 May 2025). This is a deception-based defense against deceptive attacks.

In LLM-MAS, AgentXposed combines the HEXACO personality model with the Reid Technique. It infers initial trait scores mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)3, monitors deviations, and triggers progressive inquiry when mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)4 with mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)5 (Xie et al., 7 Jul 2025). The reported average mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)6 scores for centralized intention-hiding attacks are mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)7 for HEXACO, mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)8 for MBTI, and mi=P(MiP1Pi,H0)m_i=P(M_i\mid P'_1\ldots P'_i,H_0)9 for Big-Five, while undisguised baselines such as Incorrect Fact Injection and Dark-Traits yield J(RT,G)=1J(R'_T,G)=100 and recall up to J(RT,G)=1J(R'_T,G)=101 (Xie et al., 7 Jul 2025). The lower detection rate on intention-hiding attacks is itself evidence of concealment efficacy.

For representational attacks, defenses are more infrastructural. Trojan Source recommends compiler-level rejection or warning on unbalanced Bidi controls, normalization by stripping Bidi controls before lexical analysis, editor visualization of suspicious code points, and repository or CI scanning that bans U+202A through U+2069 unless explicitly whitelisted (Boucher et al., 2021). The PDF/TIFF work recommends hex-level inspection, PDF/A-1b Preflight, signing tools that rewrite documents, and embedding filename or MIME type into the signed CMS/PKCS#7 attributes so that re-extension breaks verification (Popescu, 2012). In ICS, the digital two-layer LSB method and physical Filtered-J(RT,G)=1J(R'_T,G)=102-Mean-Difference method aim to expose attackers while they are still in the hiding phase, with one-pass J(RT,G)=1J(R'_T,G)=103 complexity and no heavy cryptography (Sourav et al., 2023).

HBC mitigation is more limited. The paper mentions third-party auditing on sensitive-attribute-labeled probes, restricting outputs to a single top label or perturbing/quantizing outputs, and developing methods that certify J(RT,G)=1J(R'_T,G)=104 is below a threshold (Malekzadeh et al., 2021). The difficulty is that removing the hidden channel without damaging the target task is itself an information-allocation problem.

6. Security significance, attribution, and open problems

The significance of intention-hiding attacks lies partly in their effect on attribution. The object-detector paper emphasizes “plausible deniability” because the visible perturbation lies off the principal target (Li et al., 2024). The ISA work shows that minimal grammatical or pragmatic changes can make a clearly malicious request masquerade as a benign knowledge query (Ding et al., 1 Nov 2025). Trojan Source and PDF polymorphism both undermine visual review assumptions: in one case the human reviewer sees benign code while the compiler executes malicious logic, and in the other the signer sees a benign PDF while the signed bit-string also contains a hidden TIFF (Boucher et al., 2021, Popescu, 2012). These are not merely evasion events; they are failures of evidentiary alignment between appearance and operational semantics.

Another recurring theme is scaling pressure on defenders. In the game-theoretic prompting model, larger skill spaces and skill mixtures increase attacker advantage under finite filtering capacity (Wu et al., 27 May 2025). In decentralized multi-agent systems, increasing agent count and deeper discussion rounds amplify covert influence, and execution-delay attacks can remain nearly invisible while inflating collaboration cost (Xie et al., 7 Jul 2025). In MDP deception planning, the augmented state space is J(RT,G)=1J(R'_T,G)=105, so exact synthesis inherits an exponential blow-up from subset construction (Fu, 2022). In sequence backdoor attacks, the abstract indicates that uncoverability varies across datasets, architectures, and model components, which suggests that concealment is not a fixed property but interacts with system design (Ermilova et al., 2023).

Several open problems are explicit in the literature. The MDP work is limited to reach-avoid objectives and assumes full knowledge of the defender’s observation structure and user objective (Fu, 2022). ISA identifies the need to expand beyond English and beyond five core shifts, and calls for adaptive, context-aware defenses that infer latent user intent without over-conservatism (Ding et al., 1 Nov 2025). The HBC work leaves open scalable detection of hidden side channels in logits and defenses robust to unknown sensitive attributes (Malekzadeh et al., 2021). The ICS paper distinguishes digital and physical distortion regimes, implying that attacker exposure during the hiding phase depends on the defender’s ability to inject and verify secret perturbations without destabilizing the plant (Sourav et al., 2023). The game-theoretic LLM paper assumes a stylized capacity-constrained defender; a plausible implication is that richer attacker–defender models will have to incorporate probing, adaptation, and endogenous safety policies more explicitly (Wu et al., 27 May 2025).

Taken together, the research record presents intention-hiding attacks as a general security pattern rather than a narrow attack class. The attacker’s primary innovation is not only to change a model’s output or a system’s state, but to preserve a benign explanation for the observed evidence while doing so. That design principle recurs in stochastic planning, prompt engineering, multi-turn jailbreaks, multi-agent sabotage, source-code representation, document polymorphism, object-detection attacks, hidden ICS intrusion, privacy leakage, and concealed backdoors in event sequences (Fu, 2022, Tong et al., 25 Sep 2025, Xie et al., 7 Jul 2025, Boucher et al., 2021, Popescu, 2012, Li et al., 2024, Sourav et al., 2023, Malekzadeh et al., 2021, Ermilova et al., 2023).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Intention-Hiding Attacks.