UNSEEN: A Cross-Stack LLM Unlearning Defense Solution Against AR-LLM Social Engineering Attacks

This article proposes the UNSEEN (Cross-Stack LLM Unlearning Defense) framework, a coordinated cross-stack defense system that integrates an AR access control layer, the F-RMU LLM unlearning mechanism, and runtime agent guardrails to effectively defend against AR-LLM-based social engineering attacks (SEAR). This framework addresses the limitations of traditional defense methods in the AR-LLM integrated ecosystem and provides a reference paradigm for the security protection of multimodal AI systems.

With the deep integration of AR devices and LLMs, a new security threat—AR-LLM social engineering attacks (SEAR)—has emerged: using AR glasses to capture target images and voices, LLMs identify identities and generate social profiles, and agents automatically apply social engineering strategies to induce conversations and carry out phishing. Traditional defenses (such as role-based access control and data flow tracking) face three major challenges: AR embedded devices have limited resources, making it difficult to deploy complex mechanisms; LLM reasoning opacity makes fine-grained access control hard to implement; and the dynamic behaviors of adaptive interactive agents are difficult to manage.

The UNSEEN framework consists of a three-layer defense architecture:

1. AR Access Control Layer (AR ACL)：Implements an identity-based perception gating mechanism that verifies the target's identity and decides whether to allow collection based on privacy policies, blocking the first link of the attack chain at the source;
2. F-RMU LLM Unlearning Mechanism：Fine-grained and precise "unlearning" of sensitive user profile information, breaking through the limitations of traditional coarse-grained methods—even if attackers obtain partial data, they cannot extract a complete profile;
3. Runtime Agent Guardrails：Dynamic behavior monitoring and constraints, real-time analysis of agent conversation strategies, and immediate intervention to block malicious interactions when attack patterns are detected.

The implementation of UNSEEN considers the uniqueness of the AR-LLM ecosystem: the device-side AR ACL runs in a lightweight manner without affecting user experience; the model-layer F-RMU uses an efficient parameter update strategy to ensure unlearning effectiveness while minimizing computational overhead; the application-layer agent guardrails achieve dynamic response to complex attack scenarios through behavior pattern recognition and policy intervention.

The research team conducted a large-scale user study under the framework approved by the IRB: 60 participants, 360 annotated dialogues, covering various real social interaction scenarios. The evaluation results show that UNSEEN achieves a good balance between defense effectiveness and user experience.

UNSEEN marks an important shift in LLM security research from single-model protection to cross-stack system defense. It not only addresses specific security challenges in AR-LLM integration scenarios but also provides a reference paradigm for the security protection of future multimodal AI systems.

As AR devices and LLM technologies evolve, attack methods will upgrade. The modular design of UNSEEN has good scalability and can adapt to new threats. The research calls on the industry to attach importance to privacy protection and security design in AR-LLM product development and to build defense mechanisms into the system architecture.