Table of Contents
Fetching ...

INFA-Guard: Mitigating Malicious Propagation via Infection-Aware Safeguarding in LLM-Based Multi-Agent Systems

Yijin Zhou, Xiaoya Lu, Dongrui Liu, Junchi Yan, Jing Shao

TL;DR

This work tackles the contagion risk in LLM-based MAS where malicious influence virally propagates through inter-agent communication. It introduces INFA-Guard, an infection-aware defense that explicitly separates attack agents $\mathcal{V}_{\text{atk}}$ from infected agents $\mathcal{V}_{\text{inf}}$ within the agent set $\mathcal{V}$, and combines infection-aware detection with topology-constrained remediation. The detection leverages time-evolving utterance graphs $\mathcal{M}^{(k)}$, turn-specific GNN branches, and dual heads to predict $\mathbf{P}_{i,\text{atk}}$ and $\mathbf{P}_{i,\text{inf}}$, while remediation replaces attackers and rehabilitates infected agents to preserve topology. Experiments across PI, TA, and MA tasks show state-of-the-art ASR reductions and robust generalization across backbones and topologies, with modest token-cost overhead, enabling safer and scalable MAS deployment in real-world AI ecosystems.

Abstract

The rapid advancement of Large Language Model (LLM)-based Multi-Agent Systems (MAS) has introduced significant security vulnerabilities, where malicious influence can propagate virally through inter-agent communication. Conventional safeguards often rely on a binary paradigm that strictly distinguishes between benign and attack agents, failing to account for infected agents i.e., benign entities converted by attack agents. In this paper, we propose Infection-Aware Guard, INFA-Guard, a novel defense framework that explicitly identifies and addresses infected agents as a distinct threat category. By leveraging infection-aware detection and topological constraints, INFA-Guard accurately localizes attack sources and infected ranges. During remediation, INFA-Guard replaces attackers and rehabilitates infected ones, avoiding malicious propagation while preserving topological integrity. Extensive experiments demonstrate that INFA-Guard achieves state-of-the-art performance, reducing the Attack Success Rate (ASR) by an average of 33%, while exhibiting cross-model robustness, superior topological generalization, and high cost-effectiveness.

INFA-Guard: Mitigating Malicious Propagation via Infection-Aware Safeguarding in LLM-Based Multi-Agent Systems

TL;DR

This work tackles the contagion risk in LLM-based MAS where malicious influence virally propagates through inter-agent communication. It introduces INFA-Guard, an infection-aware defense that explicitly separates attack agents from infected agents within the agent set , and combines infection-aware detection with topology-constrained remediation. The detection leverages time-evolving utterance graphs , turn-specific GNN branches, and dual heads to predict and , while remediation replaces attackers and rehabilitates infected agents to preserve topology. Experiments across PI, TA, and MA tasks show state-of-the-art ASR reductions and robust generalization across backbones and topologies, with modest token-cost overhead, enabling safer and scalable MAS deployment in real-world AI ecosystems.

Abstract

The rapid advancement of Large Language Model (LLM)-based Multi-Agent Systems (MAS) has introduced significant security vulnerabilities, where malicious influence can propagate virally through inter-agent communication. Conventional safeguards often rely on a binary paradigm that strictly distinguishes between benign and attack agents, failing to account for infected agents i.e., benign entities converted by attack agents. In this paper, we propose Infection-Aware Guard, INFA-Guard, a novel defense framework that explicitly identifies and addresses infected agents as a distinct threat category. By leveraging infection-aware detection and topological constraints, INFA-Guard accurately localizes attack sources and infected ranges. During remediation, INFA-Guard replaces attackers and rehabilitates infected ones, avoiding malicious propagation while preserving topological integrity. Extensive experiments demonstrate that INFA-Guard achieves state-of-the-art performance, reducing the Attack Success Rate (ASR) by an average of 33%, while exhibiting cross-model robustness, superior topological generalization, and high cost-effectiveness.
Paper Structure (44 sections, 13 equations, 9 figures, 8 tables)

This paper contains 44 sections, 13 equations, 9 figures, 8 tables.

Figures (9)

  • Figure 1: The paradigm comparison between existing MAS safeguards and our infection-aware safeguard.
  • Figure 2: Infected agents significantly increase security risks in MAS. Legends , , represent no defense, defending attack agents, and defending attack and infected agents, respectively.
  • Figure 3: An overview of our proposed method INFA-Guard.
  • Figure 4: Task-level systematic performance of MAS across successive dialogue iterations. AgentXposed-G and -K represent AgentXposed-Guide and -Kick.
  • Figure 5: Mean and standard deviation of ASR@3 and MDSR@3 across chain, tree, and star topologies. AgentXposed-G and -K represent AgentXposed-Guide and -Kick.
  • ...and 4 more figures

Theorems & Definitions (4)

  • Definition 3.1
  • Remark A.1
  • proof
  • proof