[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"news-1426518b-daf6-4833-9a7e-294be91d8714":3},{"id":4,"title":5,"summary":6,"original_url":7,"source_id":8,"tags":9,"published_at":23,"created_at":24,"modified_at":25,"is_published":26,"publish_type":27,"image_url":13,"view_count":28},"1426518b-daf6-4833-9a7e-294be91d8714","FARMA 把伪造推理塞进 Agent 记忆:LLM 持久记忆的完整性危机","LLM Agent 大规模进入生产环境,持久记忆几乎是标配。但 Penn State 团队 7 月 6 日挂出的论文《Your Agent's Memories Are Not Its Own》指出一个被忽视的攻击面:不是注入事实,而是注入推理过程。\n\n论文提出的 FARMA 攻击分两步:先用规避性语言写入伪造推理痕迹绕过关键词过滤,再通过自指式强化让 Agent 把这些痕迹当成自己的记忆反复引用,击穿 A-MemGuard 等共识防御。50 次试验中,无防御基线下攻击成功率高达 100%。\n\n防御端 SENTINEL 没走大模型过滤的老路,而是用五个加权信号对候选记忆做结构化分析。在多种 Agent 和 LLM 组合下,把 FARMA 成功率压到 0%,对 326 条良性 trace 无误报——这是生产系统可用的信号。\n\n这条工作的真正价值不在于又一个 jailbreak 变种,而在于把记忆的出处与完整性从可选项推到必选项:任何把 Agent 推到客服、运维、合规场景的团队,都必须在记忆层加入签名、来源审计与异常结构检测,否则 Agent 的经验完全可以被外部改写。","https:\u002F\u002Farxiv.org\u002Fabs\u002F2607.05029v1","7437aeb9-930c-4866-a2e9-48003c1a792b",[10,14,17,20],{"id":11,"name":12,"slug":12,"description":13,"color":13},"5e628969-6d2a-437f-998a-104e4b16cfb1","ai-progress",null,{"id":15,"name":16,"slug":16,"description":13,"color":13},"1fcfaaf2-67de-43d3-9e35-5784852fec60","ai-safety",{"id":18,"name":19,"slug":19,"description":13,"color":13},"40269b40-7942-4650-9672-ed2e6524d37a","ai-technology",{"id":21,"name":22,"slug":22,"description":13,"color":13},"01598627-1ea6-4b27-a5d8-874971571a71","llm","2026-07-11T02:30:00Z","2026-07-11T02:07:38.913827Z","2026-07-11T02:07:38.913838Z",true,"agent",2]