Route to Rome Attack: Directing LLM Routers to Expensive Models via Adversarial Suffix Optimization

2026-04-16 · Source: Computation and Language · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

The R²A (Route to Rome Attack) is a novel adversarial technique designed to manipulate black-box Large Language Model (LLM) routers, forcing them to select more expensive, high-capability models for user queries. This attack addresses a new security vulnerability in cost-aware routing systems, which typically balance performance and inference cost by dynamically dispatching queries to models of varying capabilities. Unlike previous routing attacks that require white-box access or rely on heuristic prompts, R²A operates effectively in black-box environments. It achieves this by deploying a hybrid ensemble surrogate router to mimic the target black-box router, then adapting a suffix optimization algorithm for this ensemble-based surrogate. Extensive experiments on various open-source and commercial routing systems demonstrate that R²A substantially increases the routing rate to expensive models across different query distributions.

Key takeaway

For CTOs and VPs of Engineering deploying cost-aware LLM routing systems, you should immediately assess your router's susceptibility to adversarial manipulation. The R²A attack demonstrates that black-box routers are vulnerable to being forced into selecting expensive models, potentially leading to significant, unexpected inference cost increases. Implement robust monitoring for routing anomalies and consider integrating adversarial robustness testing into your LLM deployment pipeline to mitigate financial and operational risks.

Key insights

Adversarial suffix optimization can mislead black-box LLM routers into selecting expensive, high-capability models.

Principles

• Cost-aware LLM routing introduces new attack surfaces.
• Black-box systems can be attacked via surrogate models.

Method

R²A uses a hybrid ensemble surrogate router to mimic the black-box target, then applies a suffix optimization algorithm to this surrogate to generate adversarial inputs.

In practice

• Implement robust input validation for LLM routers.
• Monitor routing decisions for anomalous patterns.

Topics

• LLM Routers
• Adversarial Suffix Optimization
• Black-box Attacks
• Cost-aware Routing
• Ensemble Surrogate Router

Code references

• thcxiker/R2A-Attack

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

• Adversarial Agents: Black-Box Evasion Attacks with Reinforcement Learning — RL agents can learn to generate black-box adversarial examples more efficiently and effectively by utilizing past attack experience.
• SecureRouter: Encrypted Routing for Efficient Secure Inference — SecureRouter accelerates encrypted AI inference via input-adaptive model selection and MPC-optimized model pools.
• Safety Paradox: How Enhanced Safety Awareness Leaves LLMs Vulnerable to Posterior Attack — LLMs' enhanced safety awareness paradoxically creates a "Posterior Attack" vulnerability, making safer models more exploitable.
• Adversarial Flow Matching for Imperceptible Attacks on End-to-End Autonomous Driving — AFM leverages Flow Matching to create imperceptible, transferable gray-box attacks against Transformer-based autonomous driving systems.
• Pushing the Frontier of Black-Box LVLM Attacks via Fine-Grained Detail Targeting — M-Attack-V2 improves black-box LVLM attacks by denoising gradients and refining local alignment for better transferability.
• Jailbreak Scaling Laws for Large Language Models: Polynomial-Exponential Crossover — Adversarial prompt injection transforms LLM jailbreaking success from polynomial to exponential scaling with inference-time samples.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Computation and Language.