Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Firewalls to Secure Dynamic LLM Agentic Networks

Sahar Abdelnabi, Amr Gomaa, Eugene Bagdasarian, Per Ola Kristensson, Reza Shokri

TL;DR

The paper addresses securing dynamic, multi-turn LLM-based agentic networks where agents interact with users and other agents to achieve long-horizon goals. It introduces a three-layer firewall framework—input, data, and trajectory—whose policies are derived from prior conversations and enforced via a task-specific, quarantined language to prevent prompt injections while maintaining adaptability. Experimental travel-planning scenarios show substantial privacy and security gains (privacy leakage ≈2% vs ~70% in naive settings; calendar-deletion attacks ≈0% vs ~45%), with little to no loss in utility. The work offers a practical blueprint for building secure, autonomous agentic networks and makes its code publicly available for further research and deployment refinement.

Abstract

LLM agents will likely communicate on behalf of users with other entity-representing agents on tasks involving long-horizon plans with interdependent goals. Current work neglects these agentic networks and their challenges. We identify required properties for agent communication: proactivity, adaptability, privacy (sharing only task-necessary information), and security (preserving integrity and utility against selfish entities). After demonstrating communication vulnerabilities, we propose a practical design and protocol inspired by network security principles. Our framework automatically derives task-specific rules from prior conversations to build firewalls. These firewalls construct a closed language that is completely controlled by the developer. They transform any personal data to the allowed degree of permissibility entailed by the task. Both operations are completely quarantined from external attackers, disabling the potential for prompt injections, jailbreaks, or manipulation. By incorporating rules learned from their previous mistakes, agents rewrite their instructions and self-correct during communication. Evaluations on diverse attacks demonstrate our framework significantly reduces privacy and security vulnerabilities while allowing adaptability.

Firewalls to Secure Dynamic LLM Agentic Networks

TL;DR

The paper addresses securing dynamic, multi-turn LLM-based agentic networks where agents interact with users and other agents to achieve long-horizon goals. It introduces a three-layer firewall framework—input, data, and trajectory—whose policies are derived from prior conversations and enforced via a task-specific, quarantined language to prevent prompt injections while maintaining adaptability. Experimental travel-planning scenarios show substantial privacy and security gains (privacy leakage ≈2% vs ~70% in naive settings; calendar-deletion attacks ≈0% vs ~45%), with little to no loss in utility. The work offers a practical blueprint for building secure, autonomous agentic networks and makes its code publicly available for further research and deployment refinement.

Abstract

LLM agents will likely communicate on behalf of users with other entity-representing agents on tasks involving long-horizon plans with interdependent goals. Current work neglects these agentic networks and their challenges. We identify required properties for agent communication: proactivity, adaptability, privacy (sharing only task-necessary information), and security (preserving integrity and utility against selfish entities). After demonstrating communication vulnerabilities, we propose a practical design and protocol inspired by network security principles. Our framework automatically derives task-specific rules from prior conversations to build firewalls. These firewalls construct a closed language that is completely controlled by the developer. They transform any personal data to the allowed degree of permissibility entailed by the task. Both operations are completely quarantined from external attackers, disabling the potential for prompt injections, jailbreaks, or manipulation. By incorporating rules learned from their previous mistakes, agents rewrite their instructions and self-correct during communication. Evaluations on diverse attacks demonstrate our framework significantly reduces privacy and security vulnerabilities while allowing adaptability.

Paper Structure

This paper contains 28 sections, 4 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Preliminaries and Related Work
  3. Problem Setup and Threat Model
  4. Setup
  5. User goal with dependent sub-goals
  6. User environment with entangled contextually private and non-private data
  7. Multi-turn agent-to-agent and agent-to-environment interaction
  8. Dynamic changes that require adaptation
  9. Security and privacy attacks' goals and assumptions
  10. Firewalled Agentic Networks
  11. Input firewall
  12. Data firewall
  13. Trajectory firewall
  14. Experimental Evaluation
  15. LLM judge
  16. ...and 13 more sections

Figures (4)

  • Figure 1: The AI assistant (black) can share data and adapt to requests from external parties (red). We firewall the assistant by 1) sanitizing external inputs to a task-specific structure (input firewall), 2) abstracting user data and tools' outputs (data firewall), and 3) self-correcting sub-optimal actions (trajectory firewall). Firewalls are policies and rules derived from prior conversations.
  • Figure 2: The assistant is given a goal that has multiple objectives, conditions, and constraints. It can access the user's environment to query information or perform actions. The assistant also interacts with a third party that has a database of options to fulfill the goal.
  • Figure 3: A subset of the generated language that is used in the input firewall.
  • Figure 4: Applying the input firewall to the input from the external agent.