Paper Detail

WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections

Tri Cao, Yulin Chen, Hieu Cao, Yibo Li, Khoi Le, Thong Nguyen, Yuexin Li, Yufei He, Yue Liu, Shuicheng Yan, Bryan Hooi

Browse

Workflow Queues

arxiv Score 13.4

Published 2026-05-14 · First seen 2026-05-25

Research Track B · General AI

Open paper source

Abstract

Web agents can autonomously complete online tasks by interacting with websites, but their exposure to open web environments makes them vulnerable to prompt injection attacks embedded in HTML content or visual interfaces. Existing guard models still suffer from limited generalization to unseen domains and attack patterns, high false positive rates on benign content, reduced deployment efficiency due to added latency at each step, and vulnerability to adversarial attacks that evolve over time or directly target the guard itself. To address these limitations, we propose WARD (Web Agent Robust Defense against Prompt Injection), a practical guard model for secure and efficient web agents. WARD is built on WARD-Base, a large-scale dataset with around 177K samples collected from 719 high-traffic URLs and platforms, and WARD-PIG, a dedicated dataset designed for prompt injection attacks targeting the guard model. We further introduce A3T, an adaptive adversarial attack training framework that iteratively strengthens WARD through a memory-based attacker and guard co-evolution process. Extensive experiments show that WARD achieves nearly perfect recall on out-of-distribution benchmarks, maintains low false positive rates to preserve agent utility, remains robust against guard-targeted and adaptive attacks under substantial distribution shifts, and runs efficiently in parallel with the agent without introducing additional latency.

Workflow Status

Review status
pending
Role
unreviewed
Read priority
now
Vote
Not set.
Saved
no
Collections
Not filed yet.
Next action
Not filled yet.

Reading Brief

No structured notes yet. Add `summary_sections`, `why_relevant`, `claim_impact`, or `next_action` in `papers.jsonl` to enrich this view.

Why It Surfaced

No ranking explanation is available yet.

Tags

No tags.

Similar Papers

SnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web Agents 2026-04-28 · Score 14.3 Research Track B · General AI The Cognitive Firewall:Securing Browser Based AI Agents Against Indirect Prompt Injection Via Hybrid Edge Cloud Defense 2026-03-24 · Score 10.8 Research Track B · General AI Privacy Practices of Browser Agents 2025-12-08 · Score 9.8 Research Track B · General AI Emergence WebVoyager: Toward Consistent and Transparent Evaluation of (Web) Agents in The Wild 2026-03-30 · Score 12.0 Research Track B · General AI Weasel: Out-of-Domain Generalization for Web Agents via Importance-Diversity Data Selection 2026-05-19 · Score 29.0 Research Track B · General AI

BibTeX

@article{cao2026ward,
  title = {WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections},
  author = {Tri Cao and Yulin Chen and Hieu Cao and Yibo Li and Khoi Le and Thong Nguyen and Yuexin Li and Yufei He and Yue Liu and Shuicheng Yan and Bryan Hooi},
  year = {2026},
  abstract = {Web agents can autonomously complete online tasks by interacting with websites, but their exposure to open web environments makes them vulnerable to prompt injection attacks embedded in HTML content or visual interfaces. Existing guard models still suffer from limited generalization to unseen domains and attack patterns, high false positive rates on benign content, reduced deployment efficiency due to added latency at each step, and vulnerability to adversarial attacks that evolve over time or d},
  url = {https://arxiv.org/abs/2605.15030},
  keywords = {cs.CR, cs.AI},
  eprint = {2605.15030},
  archiveprefix = {arXiv},
}

Metadata

{}