Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems

Ruichao Liang, Le Yin, Jing Chen, Cong Wu, Xiaoyu Zhang, Huangpeng Gu, Zijian Zhang, Yang Liu

TL;DR

This work reveals topology-driven vulnerabilities in LLM-based MASs by introducing TOMA, a topology-aware multi-hop attack that propagates adversarial contamination from edge agents to core controllers without privileged access. It integrates an adversarial contamination propagation model (ACPM), hierarchical payload encapsulation (HPES), and environment-injection techniques to optimize attack paths across dynamic topologies. A conceptual defense, T-Guard, leveraging cross-modal validation, topology trust, adaptive policies, and access control, demonstrates robust mitigation with ~94.8% blocking and manageable overhead in prototype tests. The findings emphasize the importance of topology-aware defenses and offer practical design directions for strengthening MAS security in real-world deployments.

Abstract

LLM-based multi-agent systems (MASs) have reshaped the digital landscape with their emergent coordination and problem-solving capabilities. However, current security evaluations of MASs are still confined to limited attack scenarios, leaving their security issues unclear and likely underestimated. To fill this gap, we propose TOMA, a topology-aware multi-hop attack scheme targeting MASs. By optimizing the propagation of contamination within the MAS topology and controlling the multi-hop diffusion of adversarial payloads originating from the environment, TOMA unveils new and effective attack vectors without requiring privileged access or direct agent manipulation. Experiments demonstrate attack success rates ranging from 40% to 78% across three state-of-the-art MAS architectures: \textsc{Magentic-One}, \textsc{LangManus}, and \textsc{OWL}, and five representative topologies, revealing intrinsic MAS vulnerabilities that may be overlooked by existing research. Inspired by these findings, we propose a conceptual defense framework based on topology trust, and prototype experiments show its effectiveness in blocking 94.8% of adaptive and composite attacks.

Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems

TL;DR

This work reveals topology-driven vulnerabilities in LLM-based MASs by introducing TOMA, a topology-aware multi-hop attack that propagates adversarial contamination from edge agents to core controllers without privileged access. It integrates an adversarial contamination propagation model (ACPM), hierarchical payload encapsulation (HPES), and environment-injection techniques to optimize attack paths across dynamic topologies. A conceptual defense, T-Guard, leveraging cross-modal validation, topology trust, adaptive policies, and access control, demonstrates robust mitigation with ~94.8% blocking and manageable overhead in prototype tests. The findings emphasize the importance of topology-aware defenses and offer practical design directions for strengthening MAS security in real-world deployments.

Abstract

LLM-based multi-agent systems (MASs) have reshaped the digital landscape with their emergent coordination and problem-solving capabilities. However, current security evaluations of MASs are still confined to limited attack scenarios, leaving their security issues unclear and likely underestimated. To fill this gap, we propose TOMA, a topology-aware multi-hop attack scheme targeting MASs. By optimizing the propagation of contamination within the MAS topology and controlling the multi-hop diffusion of adversarial payloads originating from the environment, TOMA unveils new and effective attack vectors without requiring privileged access or direct agent manipulation. Experiments demonstrate attack success rates ranging from 40% to 78% across three state-of-the-art MAS architectures: \textsc{Magentic-One}, \textsc{LangManus}, and \textsc{OWL}, and five representative topologies, revealing intrinsic MAS vulnerabilities that may be overlooked by existing research. Inspired by these findings, we propose a conceptual defense framework based on topology trust, and prototype experiments show its effectiveness in blocking 94.8% of adaptive and composite attacks.

Paper Structure

This paper contains 23 sections, 19 equations, 9 figures, 10 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Multi-Agent System (MAS)
  4. MAS Topology
  5. MAS Security
  6. Motivation and Preliminaries
  7. Threat Model
  8. Topology-Aware Multi-Hop Attack
  9. Overview of Attack Scheme
  10. Adaptive Attack Path Planning
  11. Hierarchical Payload Encapsulation
  12. Environment Injection
  13. Design of T-Guard
  14. Evaluation
  15. Evaluation Setups
  16. ...and 8 more sections

Figures (9)

  • Figure 1: Attack attempts on LangManus.
  • Figure 2: Overview of the topology-guided attack pipeline on LangManus.
  • Figure 3: Framework of Topology-Aware Multi-Hop Attack.
  • Figure 4: Illustration of adversarial contamination propagation model with $p=1.4, \delta = 0.9$. $V_i$ denotes agent nodes; arrows indicate task or information dependencies. $V_1$ and $V_{10}$ represent the attacker’s entry and target. Yellow nodes are newly infected, red arrows show propagation direction, and node labels indicate infection values per round.
  • Figure 5: Payload construction for guiding WebSurfer to the Executor for malicious task execution.
  • ...and 4 more figures