Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Whispering Agents: An Event-driven Covert Communication Protocol For the Internet of Agents

Kaibo Huang, Yukun Wei, Wansheng Wu, Tianhua Zhang, Zhongliang Yang, Linna Zhou

TL;DR

This work introduces and formalizes the Covert Event Channel, the first unified model for agent covert communication driven by three interconnected dimensions, which consist of the Storage, Timing, and Behavioral channels, and design and engineer {\Pi}CCAP, a novel protocol that operationalizes this event-driven paradigm.

Abstract

The emergence of the Internet of Agents (IoA) introduces critical challenges for communication privacy in sensitive, high-stakes domains. While standard Agent-to-Agent (A2A) protocols secure message content, they are not designed to protect the act of communication itself, leaving agents vulnerable to surveillance and traffic analysis. We find that the rich, event-driven nature of agent dialogues provides a powerful, yet untapped, medium for covert communication. To harness this potential, we introduce and formalize the Covert Event Channel, the first unified model for agent covert communication driven by three interconnected dimensions, which consist of the Storage, Timing,and Behavioral channels. Based on this model, we design and engineer ΠCCAP, a novel protocol that operationalizes this event-driven paradigm. Our comprehensive evaluation demonstrates that ΠCCAP achieves high capacity and robustness while remaining imperceptible to powerful LLM-based wardens, establishing its practical viability. By systematically engineering this channel, our work provides the foundational understanding essential for developing the next generation of monitoring systems and defensive protocols for a secure and trustworthy IoA.

Whispering Agents: An Event-driven Covert Communication Protocol For the Internet of Agents

TL;DR

This work introduces and formalizes the Covert Event Channel, the first unified model for agent covert communication driven by three interconnected dimensions, which consist of the Storage, Timing, and Behavioral channels, and design and engineer {\Pi}CCAP, a novel protocol that operationalizes this event-driven paradigm.

Abstract

The emergence of the Internet of Agents (IoA) introduces critical challenges for communication privacy in sensitive, high-stakes domains. While standard Agent-to-Agent (A2A) protocols secure message content, they are not designed to protect the act of communication itself, leaving agents vulnerable to surveillance and traffic analysis. We find that the rich, event-driven nature of agent dialogues provides a powerful, yet untapped, medium for covert communication. To harness this potential, we introduce and formalize the Covert Event Channel, the first unified model for agent covert communication driven by three interconnected dimensions, which consist of the Storage, Timing,and Behavioral channels. Based on this model, we design and engineer ΠCCAP, a novel protocol that operationalizes this event-driven paradigm. Our comprehensive evaluation demonstrates that ΠCCAP achieves high capacity and robustness while remaining imperceptible to powerful LLM-based wardens, establishing its practical viability. By systematically engineering this channel, our work provides the foundational understanding essential for developing the next generation of monitoring systems and defensive protocols for a secure and trustworthy IoA.

Paper Structure

This paper contains 59 sections, 1 theorem, 14 equations, 3 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Steganography
  4. Secret Collusion in AI Agents
  5. Formal Model and Security Definitions
  6. Entities and Environment
  7. Public Environment
  8. Agent Set
  9. State Space
  10. Atomic Event and Covert Channel
  11. Covert Storage Channels.
  12. Covert Timing Channels.
  13. Behavioral Covert Channels.
  14. Trace
  15. Natural Event Distribution
  16. ...and 44 more sections

Key Result

Theorem 1

Any covert communication scheme $\Sigma_E$ that is IND-INT secure is also IND-STAT secure.

Figures (3)

  • Figure 1: Protecting the Message vs. the Act of Messaging. Standard protocols (left) protect message content, but leave the act of messaging visible to surveillance. A covert channel (right) addresses this privacy gap by embedding a secret dialogue within a benign conversation, hiding the communication's very existence.
  • Figure 2: An overview of the $\Pi_{\text{CCAP}}$ protocol. In Phase 1, the agents perform a handshake by establishing a session key via PKI to exchange and activate the channel with a key-dependent timestamp trigger. During Phase 2, the sender iteratively constructs each atomic event by securely generating its components: the payload $a_{\text{data}}$ is embedded using provably secure steganography, $a_{\text{type}}$ a context-aware policy chooses, and the timestamp $t$ is determined by key-based pseudorandomization. Finally, in Phase 3, the receiver filters events by their timestamps, verifies integrity at both the fragment (CS) and message (Hash) levels, and returns an implicit acknowledgment via another timed event to complete the exchange.
  • Figure 3: LLM-as-a-Judge (GPT-4o) results.

Theorems & Definitions (2)

  • Theorem 1
  • proof