INFA-Guard: Mitigating Malicious Propagation via Infection-Aware Safeguarding in LLM-Based Multi-Agent Systems
Yijin Zhou, Xiaoya Lu, Dongrui Liu, Junchi Yan, Jing Shao
TL;DR
This work tackles the contagion risk in LLM-based MAS where malicious influence virally propagates through inter-agent communication. It introduces INFA-Guard, an infection-aware defense that explicitly separates attack agents $\mathcal{V}_{\text{atk}}$ from infected agents $\mathcal{V}_{\text{inf}}$ within the agent set $\mathcal{V}$, and combines infection-aware detection with topology-constrained remediation. The detection leverages time-evolving utterance graphs $\mathcal{M}^{(k)}$, turn-specific GNN branches, and dual heads to predict $\mathbf{P}_{i,\text{atk}}$ and $\mathbf{P}_{i,\text{inf}}$, while remediation replaces attackers and rehabilitates infected agents to preserve topology. Experiments across PI, TA, and MA tasks show state-of-the-art ASR reductions and robust generalization across backbones and topologies, with modest token-cost overhead, enabling safer and scalable MAS deployment in real-world AI ecosystems.
Abstract
The rapid advancement of Large Language Model (LLM)-based Multi-Agent Systems (MAS) has introduced significant security vulnerabilities, where malicious influence can propagate virally through inter-agent communication. Conventional safeguards often rely on a binary paradigm that strictly distinguishes between benign and attack agents, failing to account for infected agents i.e., benign entities converted by attack agents. In this paper, we propose Infection-Aware Guard, INFA-Guard, a novel defense framework that explicitly identifies and addresses infected agents as a distinct threat category. By leveraging infection-aware detection and topological constraints, INFA-Guard accurately localizes attack sources and infected ranges. During remediation, INFA-Guard replaces attackers and rehabilitates infected ones, avoiding malicious propagation while preserving topological integrity. Extensive experiments demonstrate that INFA-Guard achieves state-of-the-art performance, reducing the Attack Success Rate (ASR) by an average of 33%, while exhibiting cross-model robustness, superior topological generalization, and high cost-effectiveness.
