Life-Cycle Routing Vulnerabilities of LLM Router

Large language models (LLMs) have achieved remarkable success in natural language processing, yet their performance and computational costs vary significantly. LLM routers play a crucial role in dynamically balancing these tradeoffs. While previous studies have primarily focused on routing efficiency, security vulnerabilities throughout the entire LLM router life cycle, from training to inference, remain largely unexplored. In this paper, we present a comprehensive investigation into the life-cycle routing vulnerabilities of LLM routers. We evaluate both white-box and black-box adversarial robustness, as well as backdoor robustness, across several representative routing models under extensive experimental settings. Our experiments uncover several key findings: 1) Mainstream DNN-based routers tend to exhibit the weakest adversarial and backdoor robustness, largely due to their strong feature extraction capabilities that amplify vulnerabilities during both training and inference; 2) Training-free routers demonstrate the strongest robustness across different attack types, benefiting from the absence of learnable parameters that can be manipulated. These findings highlight critical security risks spanning the entire life cycle of LLM routers and provide insights for developing more robust models. In recent years, large language models (LLMs) such as GPT-3.5 (Brown et al., 2020), GPT-4 (Achiam et al., 2023), and PaLM 2 (Anil et al., 2023) have achieved significant progress in natural language processing tasks, finding widespread applications in open-domain dialogue, question answering, code generation, and other tasks (Gu, 2023; Zhuang et al., 2023; Ghosh et al., 2024). However, different LLMs vary in terms of training data, model size, and computational cost, leading to differences in their strengths, weaknesses, and overall capabilities. Generally, larger models tend to exhibit stronger performance but come with higher inference costs, whereas smaller models are more computationally efficient but have limited capability in handling complex tasks. LLM Routing (Ding et al., 2024; Ong et al., 2024; Hu et al., 2024) is a state-of-the-art optimization strategy designed to mitigate this trade-off and achieve a balance between response quality and computational cost.