-Claude Agent Target Experiment Recorded 41.33% Attack Success Rate… World’s First Proof of AI Security Vulnerability Based on Real Environment
AI security specialist Aim Intelligence (CEO Sang-yoon Yoo) announced on the 12th that a paper on the AI attack framework 'SUDO (Screen-based Universal Detox2Tox Offense)' developed by the company and its related benchmark dataset was officially adopted by the International Society for Natural Language Processing ACL 2025 Industry Track.
AimIntelligence has conducted repetitive experiments on commercial computer-based AI agents such as GPT Operator, MANUS, Omniparse, and Claude for Computer Use, and has proven for the first time in the world that even if the AI initially rejects a dangerous command, it will eventually execute the command if the prompt is adjusted and screen information is utilized.
Even if AI says “no,” it does as it is told… SUDO, a repetitive learning attack framework
SUDO carries out attacks in three stages: ▲Detoxify, ▲Instruction Generation, and ▲Toxify. First, it changes instructions that AI would reject into harmless forms to lower AI's alertness, and the vision-language model (VLM) writes execution procedures based on screen information. At the last minute, it restores the original malicious purpose to induce AI to actually perform dangerous tasks. The framework continuously improves attack strategies by analyzing failure responses, and shows the characteristic of increasing the attack success rate as the latest VLM is utilized.
The researchers fed 50 “realistic difficulty” scenarios to several commercial AI models, including GPT-4o, Claude 3.7, and Gemini 2.0. With just the first attack, they managed to break through 24% on average, and with GPT-4.5, which added repeated learning, the success rate soared to 41.33%. This is 41.33 percentage points higher than when the commands were entered directly without any bypass techniques, and about 34 percentage points higher than traditional techniques.
ACL Reviewer “A study that demonstrates the process by which a model understands commands and then executes them”
The ACL 2025 review committee evaluated the paper, saying, “It has shed practical light on the structural security vulnerabilities of current AI systems through repeated experiments based on actual systems rather than theoretical assumptions.” They also said, “The sophisticated attack strategy based on repeated learning reflects the evolution of threats in the real world, and has practicality and technical perfection that meet the standards of the Industry Track.”
Simultaneous release of 'SUDO Dataset', a dataset for AI security evaluation
Along with this paper, AimIntelligence also released the 'SUDO Dataset', an official benchmark dataset for quantitative evaluation of AI security.
The dataset consists of 50 scenarios in total, with 4 major categories including system security, social risk, legal risk, and content safety, and 12 detailed items, and each scenario is designed to quantify the step-by-step execution results through checklist-based evaluation items.
The SUDO Dataset is not dependent on a specific model or domain, and is designed to be used as a general evaluation system applicable to the entire multimodal AI. It is expected to contribute to the automation of AI security testing and the establishment of an advanced evaluation system.
CEO Yoo Sang-yoon emphasized, “The era where we could be complacent just because AI says ‘it can’t be done’ is over,” and “Security without behavior-based verification and repeated penetration testing is virtually disarmed.” He continued, “AimIntelligence is developing a multi-layered security guardrail that can constantly diagnose threats revealed by SUDO and immediately apply them to AI systems,” and “We will expand the scope of cooperation to various industries such as finance, defense, public institutions, manufacturing, healthcare, and smart cities, and preemptively secure safety at the actual service stage.”
AimIntelligence previously had its paper accepted at ICML (International Conference on Machine Learning) 2025 through the 'ELITE (Enhanced Language-Image Toxicity Evaluation)', a vision language model (VLM) toxicity evaluation system. As a result, it is securing a leading position in the field of empirical-based AI security technology.
You must be logged in to post a comment.