A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures
Dezhang Kong, Shi Lin, Zhenhua Xu, Zhebo Wang, Minghao Li, Yufeng Li, Yilun Zhang, Hujin Peng, Xiang Chen, Zeyang Sha, Yuyuan Li, Changting Lin, Xun Wang, Xuan Liu, Ningyu Zhang, Chaochao Chen, Chunming Wu, Muhammad Khurram Khan, Meng Han
TL;DR
This survey defines and classifies agent communication for LLM-driven systems, organizing the topic around three classes (User-Agent, Agent-Agent, Agent-Environment) and a three-layer architecture (L1 data transmission, L2 interaction protocol, L3 semantic interpretation). It catalogs 19 protocols, analyzes security risks across all layers, and maps defense countermeasures, supplemented by experimental demonstrations on MCP and A2A. The work highlights process-specific vulnerabilities (e.g., data leakage, prompt injection, tool misuse) and proposes layered, cross-architecture defenses, governance frameworks, and regulatory considerations. By offering a structured framework and practical case studies, it guides secure design and evaluation of future agent ecosystems and tools. The paper also points to open issues and directions for technical innovation, real-time supervision, and cross-border legal frameworks necessary for responsible deployment.
Abstract
In recent years, Large-Language-Model-driven AI agents have exhibited unprecedented intelligence and adaptability. Nowadays, agents are undergoing a new round of evolution. They no longer act as an isolated island like LLMs. Instead, they start to communicate with diverse external entities, such as other agents and tools, to perform complex tasks. Under this trend, agent communication is regarded as a foundational pillar of the next communication era, and many organizations have intensively begun to design related communication protocols (e.g., Anthropic's MCP and Google's A2A) within the past year. However, this new field exposes significant security hazards, which can cause severe damage to real-world scenarios. To help researchers quickly figure out this promising topic and benefit the future agent communication development, this paper presents a comprehensive survey of agent communication security. More precisely, we present the first clear definition of agent communication. Besides, we propose a framework that categorizes agent communication into three classes and uses a three-layered communication architecture to illustrate how each class works. Next, for each communication class, we dissect related communication protocols and analyze the security risks, illustrating which communication layer the risks arise from. Then, we provide an outlook on the possible defense countermeasures for each risk. In addition, we conduct experiments using MCP and A2A to help readers better understand the novel vulnerabilities brought by agent communication. Finally, we discuss open issues and future directions in this promising research field. We also publish a repository that maintains a list of related papers on https://github.com/theshi-1128/awesome-agent-communication-security.