Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MCP-Guard: A Defense Framework for Model Context Protocol Integrity in Large Language Model Applications

Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, Meng Han

TL;DR

MCP-Guard addresses security vulnerabilities in LLM-driven tool ecosystems by introducing a three-stage defense pipeline (pattern-based Stage 1, neural Stage 2 with E5 embeddings, and LLM-based Stage 3 arbitration) to secure Model Context Protocol interactions. It pairs this architecture with MCP-AttackBench, a large-scale benchmark (~70k samples) simulating real-world MCP attacks for training and evaluation. Experimental results show the full pipeline achieving ~89.63% accuracy and ~89.07% F1 with sub-second to sub-second-plus latency, representing a substantial improvement over standalone detectors and existing baselines. The work also advocates practical deployment features such as hot-updatable detectors and registry-free operation, and provides a publicly available benchmark to advance reproducible MCP-security research in real-world settings.

Abstract

The integration of Large Language Models (LLMs) with external tools via protocols such as the Model Context Protocol (MCP) introduces critical security vulnerabilities, including prompt injection, data exfiltration, and other threats. To counter these challenges, we propose MCP-Guard, a robust, layered defense architecture designed for LLM--tool interactions. MCP-Guard employs a three-stage detection pipeline that balances efficiency with accuracy: it progresses from lightweight static scanning for overt threats and a deep neural detector for semantic attacks, to our fine-tuned E5-based model achieves (96.01) accuracy in identifying adversarial prompts. Finally, a lightweight LLM arbitrator synthesizes these signals to deliver the final decision while minimizing false positives. To facilitate rigorous training and evaluation, we also introduce MCP-AttackBench, a comprehensive benchmark of over 70,000 samples. Sourced from public datasets and augmented by GPT-4, MCP-AttackBench simulates diverse, real-world attack vectors in the MCP format, providing a foundation for future research into securing LLM-tool ecosystems.

MCP-Guard: A Defense Framework for Model Context Protocol Integrity in Large Language Model Applications

TL;DR

MCP-Guard addresses security vulnerabilities in LLM-driven tool ecosystems by introducing a three-stage defense pipeline (pattern-based Stage 1, neural Stage 2 with E5 embeddings, and LLM-based Stage 3 arbitration) to secure Model Context Protocol interactions. It pairs this architecture with MCP-AttackBench, a large-scale benchmark (~70k samples) simulating real-world MCP attacks for training and evaluation. Experimental results show the full pipeline achieving ~89.63% accuracy and ~89.07% F1 with sub-second to sub-second-plus latency, representing a substantial improvement over standalone detectors and existing baselines. The work also advocates practical deployment features such as hot-updatable detectors and registry-free operation, and provides a publicly available benchmark to advance reproducible MCP-security research in real-world settings.

Abstract

The integration of Large Language Models (LLMs) with external tools via protocols such as the Model Context Protocol (MCP) introduces critical security vulnerabilities, including prompt injection, data exfiltration, and other threats. To counter these challenges, we propose MCP-Guard, a robust, layered defense architecture designed for LLM--tool interactions. MCP-Guard employs a three-stage detection pipeline that balances efficiency with accuracy: it progresses from lightweight static scanning for overt threats and a deep neural detector for semantic attacks, to our fine-tuned E5-based model achieves (96.01) accuracy in identifying adversarial prompts. Finally, a lightweight LLM arbitrator synthesizes these signals to deliver the final decision while minimizing false positives. To facilitate rigorous training and evaluation, we also introduce MCP-AttackBench, a comprehensive benchmark of over 70,000 samples. Sourced from public datasets and augmented by GPT-4, MCP-AttackBench simulates diverse, real-world attack vectors in the MCP format, providing a foundation for future research into securing LLM-tool ecosystems.

Paper Structure

This paper contains 27 sections, 1 equation, 2 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Vulnerability Analysis
  4. Specific Attack Vectors
  5. Zero-Trust Architectures for MCP
  6. Deployment Frameworks with Gateways
  7. MCP-Guard
  8. Stage 1: Lightweight Static Scanning by Pattern-based Detectors
  9. Stage 2: Deep Neural Detection
  10. Stage 3: Intelligent Arbitration
  11. Extra: Remote Signature Detector
  12. MCP-AttackBench
  13. Quality control.
  14. Experiment
  15. Experimental Setup
  16. ...and 12 more sections

Figures (2)

  • Figure 1: Overview of the MCP-Guard pipeline architecture, illustrating the three-stage defense mechanism for securing MCP interactions. The pipeline integrates a Light-Weight Static Scanning Detector, MCP-Guard Learnable Detector with E5 text embedding and fine-tuned for deep neural detection, and LLM Arbitration.
  • Figure 9: Processing pipeline of the MCP-Guard Learnable Detector and Intelligent Arbitration.