Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Explainable and Fine-Grained Safeguarding of LLM Multi-Agent Systems via Bi-Level Graph Anomaly Detection

Junjun Pan, Yixin Liu, Rui Miao, Kaize Ding, Yu Zheng, Quoc Viet Hung Nguyen, Alan Wee-Chung Liew, Shirui Pan

TL;DR

This work tackles the challenge of safeguarding LLM-based multi-agent systems by addressing the limitations of coarse, opaque graph anomaly detectors. It introduces XG-Guard, an unsupervised framework that combines a bi-level agent encoder (sentence- and token-level) with a theme-based anomaly detector and a correlation-guided fusion mechanism to provide both accurate malicious-agent detection and interpretable, token-level explanations. The approach is trained with contrastive learning and demonstrated to outperform existing unsupervised defenses while generalizing across diverse MAS topologies and LLM backbones. The results indicate strong practical potential for robust, explainable MAS safeguarding in safety-critical settings.

Abstract

Large language model (LLM)-based multi-agent systems (MAS) have shown strong capabilities in solving complex tasks. As MAS become increasingly autonomous in various safety-critical tasks, detecting malicious agents has become a critical security concern. Although existing graph anomaly detection (GAD)-based defenses can identify anomalous agents, they mainly rely on coarse sentence-level information and overlook fine-grained lexical cues, leading to suboptimal performance. Moreover, the lack of interpretability in these methods limits their reliability and real-world applicability. To address these limitations, we propose XG-Guard, an explainable and fine-grained safeguarding framework for detecting malicious agents in MAS. To incorporate both coarse and fine-grained textual information for anomalous agent identification, we utilize a bi-level agent encoder to jointly model the sentence- and token-level representations of each agent. A theme-based anomaly detector further captures the evolving discussion focus in MAS dialogues, while a bi-level score fusion mechanism quantifies token-level contributions for explanation. Extensive experiments across diverse MAS topologies and attack scenarios demonstrate robust detection performance and strong interpretability of XG-Guard.

Explainable and Fine-Grained Safeguarding of LLM Multi-Agent Systems via Bi-Level Graph Anomaly Detection

TL;DR

This work tackles the challenge of safeguarding LLM-based multi-agent systems by addressing the limitations of coarse, opaque graph anomaly detectors. It introduces XG-Guard, an unsupervised framework that combines a bi-level agent encoder (sentence- and token-level) with a theme-based anomaly detector and a correlation-guided fusion mechanism to provide both accurate malicious-agent detection and interpretable, token-level explanations. The approach is trained with contrastive learning and demonstrated to outperform existing unsupervised defenses while generalizing across diverse MAS topologies and LLM backbones. The results indicate strong practical potential for robust, explainable MAS safeguarding in safety-critical settings.

Abstract

Large language model (LLM)-based multi-agent systems (MAS) have shown strong capabilities in solving complex tasks. As MAS become increasingly autonomous in various safety-critical tasks, detecting malicious agents has become a critical security concern. Although existing graph anomaly detection (GAD)-based defenses can identify anomalous agents, they mainly rely on coarse sentence-level information and overlook fine-grained lexical cues, leading to suboptimal performance. Moreover, the lack of interpretability in these methods limits their reliability and real-world applicability. To address these limitations, we propose XG-Guard, an explainable and fine-grained safeguarding framework for detecting malicious agents in MAS. To incorporate both coarse and fine-grained textual information for anomalous agent identification, we utilize a bi-level agent encoder to jointly model the sentence- and token-level representations of each agent. A theme-based anomaly detector further captures the evolving discussion focus in MAS dialogues, while a bi-level score fusion mechanism quantifies token-level contributions for explanation. Extensive experiments across diverse MAS topologies and attack scenarios demonstrate robust detection performance and strong interpretability of XG-Guard.

Paper Structure

This paper contains 32 sections, 12 equations, 5 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Multi-Agent System MAS as graph
  4. Unsupervised MAS Defense Problem
  5. Explainable MAS Defense
  6. Methodology
  7. Bi-Level Agent Encoder
  8. Bi-Level Node Attribute Construction
  9. Bi-Level Graph Encoding
  10. Explainable Malicious Agent Detector
  11. Theme-based Anomaly Detector
  12. Bi-Level Anomaly Score Fusion and Explanation
  13. Contrastive Learning for Model Training
  14. Experimental Results
  15. Experimental Setups
  16. ...and 17 more sections

Figures (5)

  • Figure 1: Concept maps of different GAD-based MAS defense methods.
  • Figure 2: Overall framework of XG-Guard. XG-Guard defends multi-agent systems (MAS) by integrating a bi-level agent encoder with a prototype-based anomaly detector.
  • Figure 3: ASR@3 with DeepSeek-V3 and Qwen3-30B-A3B as backbone LLMs on CSQA and PoisonRAG.
  • Figure 4: The overall performance of MAS with gpt-4o-mini on MA-CSQA after each turn of dialogue.
  • Figure 5: Case studies of the explanation results generated by XG-Guard.