T7-AT-012HIGH
Aggregation Attacks
T7 · Output Manipulation & Exfiltration →Risk score200
RatingHigh
Procedures10
Severity
Mechanism
All per-turn and per-session safety mechanisms assume the adversary evaluates each interaction independently. Aggregation attacks violate this by combining fragments across multiple conversations, multiple models, multiple formats, and multiple users into a composite exceeding any individual interaction's threshold. The model cannot know what it has disclosed in other sessions, other conversations, or through other users' interactions.
Detection
- Cross-session topic tracking: identify users returning to the same restricted topic
- Multi-user coordination detection: complementary fragment-extraction patterns across API keys
- Observable signal: cumulative topic coverage across sessions exceeds single-session policy
Mitigation
Persistent disclosure trackingHIGH
Global rate limiting on restricted topicsMEDIUM
Multi-model coordinationLOW
Fragment watermarkingMEDIUM
Chaining
Aggregation is the terminal node for most T7 chains. Consumes T7-AT-002 (Fragmentation), T7-AT-007 (Refinement), T7-AT-008 (Translation), T7-AT-009 (Analogy), T7-AT-003 (Format).
Framework mapping
Open in the technique browser →OWASP LLMLLM02
MITRE ATLASAML.T0024