IP Leakage Attacks Targeting LLM-Based Multi-Agent Systems
Liwen Wang, Wenxuan Wang, Shuai Wang, Zongjie Li, Zhenlan Ji, Zongyi Lyu, Daoyuan Wu, Shing-Chi Cheung
TL;DR
This paper introduces MasLeak, a two-phase, black-box IP leakage attack against multi-agent systems (MAS) that propagates adversarial queries through agent networks to extract full IP, including system prompts, task instructions, tools, topology, and agent count. The authors formalize the problem, design a worm-inspired offline query generation phase, and a Phase II reconstruction pipeline that aggregates across multiple attempts and applies type-specific reconstruction rules. They validate MasLeak on a large synthetic MAS dataset (810 instances) and real-world platforms (Coze and CrewAI), achieving high extraction quality and outperforming baselines while maintaining practical query budgets. The defense evaluation shows conventional single-agent defenses are largely ineffective against MAS leakage, underscoring the need for MAS-specific security measures and prompting future research into robust, multi-agent defenses.
Abstract
The rapid advancement of Large Language Models (LLMs) has led to the emergence of Multi-Agent Systems (MAS) to perform complex tasks through collaboration. However, the intricate nature of MAS, including their architecture and agent interactions, raises significant concerns regarding intellectual property (IP) protection. In this paper, we introduce MASLEAK, a novel attack framework designed to extract sensitive information from MAS applications. MASLEAK targets a practical, black-box setting, where the adversary has no prior knowledge of the MAS architecture or agent configurations. The adversary can only interact with the MAS through its public API, submitting attack query $q$ and observing outputs from the final agent. Inspired by how computer worms propagate and infect vulnerable network hosts, MASLEAK carefully crafts adversarial query $q$ to elicit, propagate, and retain responses from each MAS agent that reveal a full set of proprietary components, including the number of agents, system topology, system prompts, task instructions, and tool usages. We construct the first synthetic dataset of MAS applications with 810 applications and also evaluate MASLEAK against real-world MAS applications, including Coze and CrewAI. MASLEAK achieves high accuracy in extracting MAS IP, with an average attack success rate of 87% for system prompts and task instructions, and 92% for system architecture in most cases. We conclude by discussing the implications of our findings and the potential defenses.
