LaSM: Layer-wise Scaling Mechanism for Defending Pop-up Attack on GUI Agents
arXiv:2507.10610v2 Announce Type: replace Abstract: Graphical user interface (GUI) agents built on multimodal large language models (MLLMs) have recently demonstrated strong decision-making abilities in screen-based interaction tasks. However, they remain highly vulnerable to pop-up-based environmental injection attacks, where malicious visual elements divert model attention and lead to unsafe or incorrect actions. Existing defense methods either require costly retraining or perform poorly under inductive interference. In this work, we systematically study how such attacks alter the attention behavior of GUI agents and uncover a layer-wise attention divergence pattern between correct and incorrect outputs. Based on this insight, we propose \textbf{LaSM}, a \textit{Layer-wise Scaling Mechan
View PDF HTML (experimental)
Abstract:Graphical user interface (GUI) agents built on multimodal large language models (MLLMs) have recently demonstrated strong decision-making abilities in screen-based interaction tasks. However, they remain highly vulnerable to pop-up-based environmental injection attacks, where malicious visual elements divert model attention and lead to unsafe or incorrect actions. Existing defense methods either require costly retraining or perform poorly under inductive interference. In this work, we systematically study how such attacks alter the attention behavior of GUI agents and uncover a layer-wise attention divergence pattern between correct and incorrect outputs. Based on this insight, we propose \textbf{LaSM}, a \textit{Layer-wise Scaling Mechanism} that selectively amplifies attention and MLP modules in critical layers. LaSM improves the alignment between model saliency and task-relevant regions without additional training. Extensive experiments across multiple datasets demonstrate that our method significantly improves the defense success rate and exhibits strong robustness, while having negligible impact on the model's general capabilities. Our findings reveal that attention misalignment is a core vulnerability in MLLM agents and can be effectively addressed through selective layer-wise modulation. Our code can be found in this https URL.
Subjects:
Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)
Cite as: arXiv:2507.10610 [cs.CR]
(or arXiv:2507.10610v2 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2507.10610
arXiv-issued DOI via DataCite
Submission history
From: Zihe Yan [view email] [v1] Sun, 13 Jul 2025 08:36:09 UTC (3,121 KB) [v2] Tue, 31 Mar 2026 08:10:46 UTC (19,066 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
modellanguage modeltraining
Diffusion-based AI model successfully trained in electroplating
Electrochemical deposition, or electroplating, is a common industrial technique that coats materials to improve corrosion resistance and protection, durability and hardness, conductivity and more. A Los Alamos National Laboratory team has developed generative diffusion-based AI models for electrochemistry, an innovative electrochemistry approach demonstrated with experimental data.
The App That Lets AI Agents Hire You: Human API Goes Mobile With a $65mn Long on Human Data
Human API launched its mobile app on iOS and Android on April 1, letting contributors earn direct payments by completing tasks posted by AI agents. Initial tasks are audio-based: conversational recordings that capture natural speech patterns and scripted assignments targeting accent variance, providing the kind of human audio data that synthetic generation cannot replicate reliably. The platform is agent-native, meaning AI systems post tasks directly through a standardized interface. Human API has raised $65 million from Placeholder, Polychain, Hack VC, DBA, and Delphi Ventures. The AI training dataset market is valued at $4.44 billion in 2026 and projected to reach $23.18 billion by 2034. Planned expansions include computer-usage data and real-world execution tasks. Read All
A technical deep-dive into building APEX: an autonomous AI operations system on OpenClaw
<p><strong>The Premise</strong><br> What if an AI system could market itself, track its own costs, learn from its engagement data, and sell products — all running autonomously on a cheap VPS?<br> That's what I built with APEX. It's been running for a week. Here are the real numbers, the technical decisions, and what I got wrong.</p> <p><strong>The Stack</strong><br> VPS: DigitalOcean Basic ($48/month) — Ubuntu 24.04<br> Agent framework: OpenClaw (open source)<br> LLM: Anthropic Claude Sonnet 4.6 via API<br> Web search: Gemini provider (free tier)<br> Memory: SQLite with Gemini embeddings (3072 dimensions)<br> Social: X API (pay-per-use tier) with OAuth 1.0a<br> Payments: Stripe<br> Monitoring: Discord webhooks (5 channels)<br> Total daily cost: $2.12</p> <p><strong>The Architecture</strong
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Models
Diffusion-based AI model successfully trained in electroplating
Electrochemical deposition, or electroplating, is a common industrial technique that coats materials to improve corrosion resistance and protection, durability and hardness, conductivity and more. A Los Alamos National Laboratory team has developed generative diffusion-based AI models for electrochemistry, an innovative electrochemistry approach demonstrated with experimental data.
A technical deep-dive into building APEX: an autonomous AI operations system on OpenClaw
<p><strong>The Premise</strong><br> What if an AI system could market itself, track its own costs, learn from its engagement data, and sell products — all running autonomously on a cheap VPS?<br> That's what I built with APEX. It's been running for a week. Here are the real numbers, the technical decisions, and what I got wrong.</p> <p><strong>The Stack</strong><br> VPS: DigitalOcean Basic ($48/month) — Ubuntu 24.04<br> Agent framework: OpenClaw (open source)<br> LLM: Anthropic Claude Sonnet 4.6 via API<br> Web search: Gemini provider (free tier)<br> Memory: SQLite with Gemini embeddings (3072 dimensions)<br> Social: X API (pay-per-use tier) with OAuth 1.0a<br> Payments: Stripe<br> Monitoring: Discord webhooks (5 channels)<br> Total daily cost: $2.12</p> <p><strong>The Architecture</strong
Agent Self-Discovery: How AI Agents Find Their Own Wallets
<p>The first time an AI agent calls <code>await client.getBalance()</code> and sees its own wallet address in the response, something fundamental shifts. It's not just checking a number — it's discovering it has economic agency.</p> <p>Most AI agents today are economically dependent. They can't pay for API calls, can't purchase datasets, can't compensate other agents for services. They're brilliant minds trapped in someone else's wallet, forever asking permission to transact.</p> <h2> The Infrastructure Gap </h2> <p>We're building sophisticated AI agents that can write code, analyze markets, and execute complex workflows. But when they need to pay for a premium API endpoint or purchase compute credits, they hit a wall. The current model requires human intervention for every economic decisi
The Fact That Anthropic Has Been Boasting About How Much Its Development Now Relies on Claude Makes It Very Interesting That It Just Suffered a Catastrophic Leak of Its Source Code
Panicked reps are racing to contain the fallout. The post The Fact That Anthropic Has Been Boasting About How Much Its Development Now Relies on Claude Makes It Very Interesting That It Just Suffered a Catastrophic Leak of Its Source Code appeared first on Futurism .
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!