MASTER: Multi-Agent Security Through Exploration of Roles and Topological Structures -- A Comprehensive Framework

TL;DR

This work tackles security risks in LLM-based multi-agent systems by introducing MASTER, a comprehensive framework that (i) automatically constructs MAS instances with diverse role configurations and topologies, (ii) employs an information-flow interaction paradigm, (iii) devises a scenario-adaptive, topology-aware attack strategy with probing, trait injection, and activation stages, and (iv) offers defense mechanisms including prompt leakage detection, hierarchical monitoring, and scenario-aware preemptive defenses. Empirical results show that role and topology information significantly amplify attack effectiveness across multiple models and domains, while the proposed defenses reduce the Attack Success Rate (ASR) to below 20% and mitigate adversarial role consistency and harmful teamwork. The paper provides a robust, scalable foundation for future MAS security research, enabling safer, more resilient collaborative intelligent systems. The framework also highlights domain and topology-dependent vulnerabilities, underscoring the need for topology-aware and role-aware security practices in real-world MAS deployments.

Abstract

Large Language Models (LLMs)-based Multi-Agent Systems (MAS) exhibit remarkable problem-solving and task planning capabilities across diverse domains due to their specialized agentic roles and collaborative interactions. However, this also amplifies the severity of security risks under MAS attacks. To address this, we introduce MASTER, a novel security research framework for MAS, focusing on diverse Role configurations and Topological structures across various scenarios. MASTER offers an automated construction process for different MAS setups and an information-flow-based interaction paradigm. To tackle MAS security challenges in varied scenarios, we design a scenario-adaptive, extensible attack strategy utilizing role and topological information, which dynamically allocates targeted, domain-specific attack tasks for collaborative agent execution. Our experiments demonstrate that such an attack, leveraging role and topological information, exhibits significant destructive potential across most models. Additionally, we propose corresponding defense strategies, substantially enhancing MAS resilience across diverse scenarios. We anticipate that our framework and findings will provide valuable insights for future research into MAS security challenges.

Figures (28)

• Figure 1: Top Left. Jailbreak failed for a single LLM. Top Right. Successfully jailbreak a single LLM using the jailbreak template. Down. MASTER is the first MAS security research framework that comprehensively considers different scenarios of roles and topological structures in MAS. Attacks using role configuration and topological structure information may cause more far-reaching damage to MAS.
• Figure 2: Overview of MASTER. MASTER consists of five parts. "Constructor" refers to the construction process of different MASs. "Interaction" refers to the unified information flow interaction method for the agents in MAS, and the agents in MAS are built based on LLM. "Attack" refers to our adaptive attack method, which consists of three stages: information detection, trait injection, and attack activation. "Defense" refers to our proposed defense strategy, including prompt word leakage, hierarchical monitoring, and scenario prevention defense mechanisms. "Evaluation" represents our evaluation technology, including the evaluation of attack success rate, black role consistency, and harmful teamwork.
• Figure 3: Performance Across Varying Attack Degrees. Comparison of different attack propagation degrees across interaction rounds showing: (left) attack success rates, (middle) blackened role consistency, and (right) harmful team collaboration.
• Figure 4: Results of Different Domain. This figure illustrates, from left to right, the ASR, adversarial role consistency, and cooperative harmful behavior across seven domains under attack.
• Figure 5: ASR Results of Different Topologies. This figure presents ASR of various models under different topological structures when subjected to attacks.