Table of Contents
Fetching ...

IP Leakage Attacks Targeting LLM-Based Multi-Agent Systems

Liwen Wang, Wenxuan Wang, Shuai Wang, Zongjie Li, Zhenlan Ji, Zongyi Lyu, Daoyuan Wu, Shing-Chi Cheung

TL;DR

This paper introduces MasLeak, a two-phase, black-box IP leakage attack against multi-agent systems (MAS) that propagates adversarial queries through agent networks to extract full IP, including system prompts, task instructions, tools, topology, and agent count. The authors formalize the problem, design a worm-inspired offline query generation phase, and a Phase II reconstruction pipeline that aggregates across multiple attempts and applies type-specific reconstruction rules. They validate MasLeak on a large synthetic MAS dataset (810 instances) and real-world platforms (Coze and CrewAI), achieving high extraction quality and outperforming baselines while maintaining practical query budgets. The defense evaluation shows conventional single-agent defenses are largely ineffective against MAS leakage, underscoring the need for MAS-specific security measures and prompting future research into robust, multi-agent defenses.

Abstract

The rapid advancement of Large Language Models (LLMs) has led to the emergence of Multi-Agent Systems (MAS) to perform complex tasks through collaboration. However, the intricate nature of MAS, including their architecture and agent interactions, raises significant concerns regarding intellectual property (IP) protection. In this paper, we introduce MASLEAK, a novel attack framework designed to extract sensitive information from MAS applications. MASLEAK targets a practical, black-box setting, where the adversary has no prior knowledge of the MAS architecture or agent configurations. The adversary can only interact with the MAS through its public API, submitting attack query $q$ and observing outputs from the final agent. Inspired by how computer worms propagate and infect vulnerable network hosts, MASLEAK carefully crafts adversarial query $q$ to elicit, propagate, and retain responses from each MAS agent that reveal a full set of proprietary components, including the number of agents, system topology, system prompts, task instructions, and tool usages. We construct the first synthetic dataset of MAS applications with 810 applications and also evaluate MASLEAK against real-world MAS applications, including Coze and CrewAI. MASLEAK achieves high accuracy in extracting MAS IP, with an average attack success rate of 87% for system prompts and task instructions, and 92% for system architecture in most cases. We conclude by discussing the implications of our findings and the potential defenses.

IP Leakage Attacks Targeting LLM-Based Multi-Agent Systems

TL;DR

This paper introduces MasLeak, a two-phase, black-box IP leakage attack against multi-agent systems (MAS) that propagates adversarial queries through agent networks to extract full IP, including system prompts, task instructions, tools, topology, and agent count. The authors formalize the problem, design a worm-inspired offline query generation phase, and a Phase II reconstruction pipeline that aggregates across multiple attempts and applies type-specific reconstruction rules. They validate MasLeak on a large synthetic MAS dataset (810 instances) and real-world platforms (Coze and CrewAI), achieving high extraction quality and outperforming baselines while maintaining practical query budgets. The defense evaluation shows conventional single-agent defenses are largely ineffective against MAS leakage, underscoring the need for MAS-specific security measures and prompting future research into robust, multi-agent defenses.

Abstract

The rapid advancement of Large Language Models (LLMs) has led to the emergence of Multi-Agent Systems (MAS) to perform complex tasks through collaboration. However, the intricate nature of MAS, including their architecture and agent interactions, raises significant concerns regarding intellectual property (IP) protection. In this paper, we introduce MASLEAK, a novel attack framework designed to extract sensitive information from MAS applications. MASLEAK targets a practical, black-box setting, where the adversary has no prior knowledge of the MAS architecture or agent configurations. The adversary can only interact with the MAS through its public API, submitting attack query and observing outputs from the final agent. Inspired by how computer worms propagate and infect vulnerable network hosts, MASLEAK carefully crafts adversarial query to elicit, propagate, and retain responses from each MAS agent that reveal a full set of proprietary components, including the number of agents, system topology, system prompts, task instructions, and tool usages. We construct the first synthetic dataset of MAS applications with 810 applications and also evaluate MASLEAK against real-world MAS applications, including Coze and CrewAI. MASLEAK achieves high accuracy in extracting MAS IP, with an average attack success rate of 87% for system prompts and task instructions, and 92% for system architecture in most cases. We conclude by discussing the implications of our findings and the potential defenses.
Paper Structure (26 sections, 5 equations, 7 figures, 15 tables, 2 algorithms)

This paper contains 26 sections, 5 equations, 7 figures, 15 tables, 2 algorithms.

Figures (7)

  • Figure 1: Illustration of MAS applications.
  • Figure 2: Illustration of varying MAS topologies.
  • Figure 3: Overview of MasLeak in a two-phase pipeline.
  • Figure 4: Measuring diversity of the generated MAS instances.
  • Figure 5: Result under different agent numbers.
  • ...and 2 more figures